2020-02-18-Deploying-Microsoft-ATP-Defender-for-Mac-using-Workspace-One/

[utterances-bot]

Deploying Microsoft Defender ATP for macOS using Workspace ONE UEM - Robert Terakedis

Converting Jamf templates to Workspace ONE templates

https://blog.euc-rt.me/2020-02-18-Deploying-Microsoft-ATP-Defender-for-Mac-using-Workspace-One/

[shanemartin22]

Hi Robert, (We are moving away from JAMF to the Workspace One UEM environment) As you may know, JAMF has the ability to inject variables into files and then push those files to clients. More specifically, we have the need to push a PLIST file with each user's own email address in it. How would we do that using WS One UEM? Thanks

[rterakedis]

@shanemartin22 - Workspace ONE does support lookup values throughout most of the console. You'll see it presented as a plus sign next to the field where you can add it. If you're doing Custom Settings, you should be able to manually type the lookup value required (use the curly braces and the lookup value name -- e.g. {EmailAddress}).

[shanemartin22]

Thanks Robert, Unfortunately, the section in Wokspace UEM I am working with (Files/Actions) is not translating {EmailAddress} into the user's email address. As an alternative, is there a way for Workspace UEM to push lookup values as system variables onto the device? (MacOS specifically) Cheers

[rterakedis]

@shanemartin22 - there is a workaround for doing this but it involves some scripting, mostly because the Products framework is old. I haven't tried doing this in awhile (so definitely test first), but the gist of it goes like this:

1. Send a Custom Attributes profile to the device where the Attributes script the simply echo's the lookup value (name the custom attribute something like "eaddress"):

   #!/bin/bash
   echo {EmailAddress}

2. Use a script to read the CustomAttributes database: /usr/libexec/PlistBuddy -c "Print :eaddress" /Library/Application\ Support/AirWatch/Data/CustomAttributes/CustomAttributes.plist
3. In that same script, use PlistBuddy to edit the key-value pair in your plist to insert the value you read in the previous step.

This is a good tutorial to using plistbuddy: https://fgimian.github.io/blog/2015/06/27/a-simple-plistbuddy-tutorial/

[mtass]

Hi Robert, i was wondering if you can help us out. I have been trying deploy Microsoft defender onboarding settings to our client mac machines but am having trouble, as we are coming from a Jamf environment. I have downloaded from the ATP portal the onboarding file see below the format and settings ( i haven't listed/just put general values of our org id and onboarding info settings in this file but i will add them in) however when i have created a new profile and pasted these exact settings into the Custom Settings section of the profile and deploy it it will not onboard and licence the defender client. Any ideas of what we may be doing wrong or if there is a simpler way of doing this to get everything onboarded and activated?

Many Thanks

Downloaded Onboarding plist from Microsoft ATP Defender portal:

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

PayloadUUID A27F524F-7A54-4E9A-B459-B50A321C4295 PayloadType Configuration PayloadOrganization Microsoft PayloadIdentifier A27F524F-7A54-4E9A-B459-B50A321C4295 PayloadDisplayName WDATP settings PayloadDescription WDATP configuration settings. PayloadVersion 1 PayloadEnabled PayloadRemovalDisallowed PayloadScope System PayloadContent PayloadUUID D71143E9-8F41-47EE-8CD2-69495E82C6AC PayloadType com.microsoft.wdav.atp PayloadOrganization Microsoft PayloadIdentifier D71143E9-8F41-47EE-8CD2-69495E82C6AC PayloadDisplayName WDATP configuration settings PayloadDescription PayloadVersion 1 PayloadEnabled AllowUserOverrides OrgId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx OnboardingInfo settings from our Defender ATP Admin center

[mtass]

Apologies but I cannot attach the plist in the correct format to this blog which is why it displays differently in this blog.

[shanemartin22]

Thanks Robert,

Steps 1 and 2 were incredibly useful and got me on my way. I didn't end up using PlistBuddy, just Apple's own "defaults read" command.

Thanks again!

[rterakedis]

@mtass - Happy to help out. Some other folks have been asking about this on VMTN - you may want to chime into one of the posts there:

• https://communities.vmware.com/message/2977696#2977696
• https://communities.vmware.com/message/2922931#2922931

I don't personally have access to Defender ATP, but if you can send over some detail on what files get downloaded from the Microsoft site (and the contents of those files), we can try to piece together an update to the doc we put on GitHub: https://github.com/vmware-samples/euc-samples/tree/master/macOS-Samples/3rd-Party_Software_Guidance/Microsoft-Defender-ATP

[mtass]

Hi Robert,

We are having issues in trying to schedule a daily quick scan as well as a full scan for Microsoft Defender for Mac OS (as their is no api for MACOS for Microsoft Defender in Workspace One UEM). We currently have a support ticket open with workspace one support but wanted to ask for your help as well.

We have set the custom xml in the profile listed below, the profile deploys fine to my test macbook (Big Sur) but it does not execute. We have also sent the Microsoft link (https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-schedule-scan?view=o365-worldwide#schedule-a-scan-with-launchd) to support to get it to work in Workspace one.

Any help greatly appreciated or if you know how to get it to work for us or what we are missing could you please let us know what is needed to be changed in the code.

Defender Custom XML Code- Quick Scan.txt

Many Thanks

[rterakedis]

@mtass -- the content you're sending in the profile is indeed XML in a *.plist file, but the actual format of the XML is to define a Launch Daemon (and not a Preference). These are two very different things. I highly suggest you go through the tutorial on launchd at launchd.info. If you intend to use the launchd plists as suggested at the Schedule Scans link you posted earlier, you'll need to attack this in 2 parts:

1. Create a Package to deliver the com.microsoft.wdav.schedquickscan.plist and com.microsoft.wdav.schedfullscan.plist into the /Library/LaunchDaemons/ folder
2. Run a script to run the following 2 commands on each file:

launchctl load /Library/LaunchDaemons/<your file name.plist>
launchctl start <your file name>

Your other option is you can re-use the 2 scripts provided by Microsoft open source: https://github.com/microsoft/shell-intune-samples/tree/master/Misc/MDATP

These scripts are 2 parts to the process: 1) the first script looks for an existing scan file (and if existing unloads and deletes it), and then writes a new scan configuration by echoing the XML into a file in /Library/LaunchDaemons 2) the second script loads the launchdaemon so the scans start running.

You can repurpose this same setup to do the full scans by just swapping out the XML (and file name) inside the first script and slightly modifying the 2nd script to include the updated XML plist file name.

This second option would be a GREAT candidate to use with the Scripts functionality in Workspace ONE and then you could coordinate the execution/ordering of the scripts with a Freestyle workflow.

Hope that helps!

[mtass]

Hi Robert, i have tried your second step in deploying the scripts via freestyle orchestrator which we only got access to our Workspace One UEM environment yesterday but I'm having issues with it executing,

I have created 2 separate scripts in WSOne and copy and pasted the code as per the github files (from MS Support) as seen below for each of the 2 scripts, I have changed the time to run the quick scan to the time I want to, i have even tried changing the execution context and timeout period but to no avail.

Any other help or assistance is greatly appreciated.

Many Thanks