deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
Beth Levin 3427cfb7a9 updated edr code
2019-11-06 10:43:31 -08:00

6.1 KiB
Raw Blame History

title, description, keywords, search.product, search.appverid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.author, author, ms.localizationpriority, manager, audience, ms.collection, ms.topic
title description keywords search.product search.appverid ms.prod ms.mktglfcycl ms.sitesec ms.pagetype ms.author author ms.localizationpriority manager audience ms.collection ms.topic
Resources for Microsoft Defender ATP for Mac Resources for Microsoft Defender ATP for Mac, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product. microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra eADQiWindows 10XVcnh met150 w10 deploy library security dansimp dansimp medium dansimp ITPro M365-security-compliance conceptual

Resources for Microsoft Defender ATP for Mac

Applies to:

Collecting diagnostic information

If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default.

  1. Increase logging level:

    $ mdatp --log-level verbose
Creating connection to daemon
Connection established
Operation succeeded

  2. Reproduce the problem

  3. Run sudo mdatp --diagnostic --create to backup Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds.

    $ sudo mdatp --diagnostic --create
Creating connection to daemon
Connection established

  4. Restore logging level:

    $ mdatp --log-level info
Creating connection to daemon
Connection established
Operation succeeded

Logging installation issues

If an error occurs during installation, the installer will only report a general failure.

The detailed log will be saved to /Library/Logs/Microsoft/mdatp/install.log. If you experience issues during installation, send us this file so we can help diagnose the cause.

Uninstalling

There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune.

Interactive uninstallation

  • Open Finder > Applications. Right click on Microsoft Defender ATP > Move to Trash.

From the command line

  • sudo rm -rf '/Applications/Microsoft Defender ATP.app'

Configuring from the command line

Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line:

Group Scenario Command
Configuration Turn on/off real-time protection mdatp --config realTimeProtectionEnabled [true/false]
Configuration Turn on/off cloud protection mdatp --config cloudEnabled [true/false]
Configuration Turn on/off product diagnostics mdatp --config cloudDiagnosticEnabled [true/false]
Configuration Turn on/off automatic sample submission mdatp --config cloudAutomaticSampleSubmission [true/false]
Configuration Turn on PUA protection mdatp --threat --type-handling potentially_unwanted_application block
Configuration Turn off PUA protection mdatp --threat --type-handling potentially_unwanted_application off
Configuration Turn on audit mode for PUA protection mdatp --threat --type-handling potentially_unwanted_application audit
Diagnostics Change the log level mdatp --log-level [error/warning/info/verbose]
Diagnostics Generate diagnostic logs mdatp --diagnostic --create
Health Check the product's health mdatp --health
Protection Scan a path mdatp --scan --path [path]
Protection Do a quick scan mdatp --scan --quick
Protection Do a full scan mdatp --scan --full
Protection Cancel an ongoing on-demand scan mdatp --scan --cancel
Protection Request a security intelligence update mdatp --definition-update
EDR Turn on/off EDR preview for Mac mdatp --edr --early-preview [true/false]
EDR Add group tag to machine. EDR tags are used for managing machine groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups mdatp --edr --set-tag GROUP [name]
EDR Remove group tag from machine mdatp --edr --remove-tag [name]

Microsoft Defender ATP portal information

In the Microsoft Defender ATP portal, you'll see two categories of information.

Antivirus alerts, including:

  • Severity
  • Scan type
  • Device information (hostname, machine identifier, tenant identifier, app version, and OS type)
  • File information (name, path, size, and hash)
  • Threat information (name, type, and state)

Device information, including:

  • Machine identifier
  • Tenant identifier
  • App version
  • Hostname
  • OS type
  • OS version
  • Computer model
  • Processor architecture
  • Whether the device is a virtual machine

Note

Certain device information might be subject to upcoming releases. To send us feedback, use the Microsoft Defender ATP for Mac app and select Help > Send feedback on your device. Optionally, use the Feedback button in the Microsoft Defender Security Center.