Deploying Microsoft Defender to macOS devices
- Katelyn Russell
- Ben Morris
Introduction
The EPM core team deploys Microsoft Defender to macOS devices, that are not excluded using the extension attribute. All Sites should have site configuration profiles to manage tagging, and scan exclusions
Checking your JAMF site for the necessary smart groups, configuration profiles, and policies.
Log into your EPM JAMF site and verify that the following smart groups, configuration profiles, and policies are in place. If you find any of these items missing you will need to contact a member of the EPM Core team to resolve the problem as site admins generally do not have the correct permissions in EPM JAMF to resolve this on your own.
Configuration Profiles
Verify that your EPM JAMF site has all of the following configuration profiles
SITE-Microsoft Defender-MDATP MDAV-Scan Exclusions
SITE-Microsoft Defender-MDATP MDAV-Tagging
The prefix of SITE in the lists above will actually be the prefix for your CSU site in JAMF (eg. LAITS for instance).
Edit Scan Exclusions
You can add and remove exclusions to the scanner by adding or removing path sets. To exclude and entire directory take the below code, add the path you want to exclude and then insert it to the bottom of the list above </array> in the SITE-Microsoft Defender-MDATP MDAV-Scan Exclusions policy and redeploy it to all devices. Wildcards are permitted.
<dict>
<key>$type</key>
<string>excludedPath</string>
<key>isDirectory</key>
<true/>
<key>path</key>
<string>/Directory Path</string>
</dict>
You can also exclude extensions and specific files by using the strings below.
<dict>
<key>$type</key>
<string>excludedFileExtension</string>
<key>extension</key>
<string>pdf</string>
</dict>
<dict>
<key>$type</key>
<string>excludedFileName</string>
<key>name</key>
<string>/path/File Name</string>
</dict>
Site specific tagging
This profile contains a plist that will set the group associated with any device the profile is deployed to.
Example:
?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>edr</key>
<dict>
<key>tags</key>
<array>
<dict>
<key>key</key>
<string>GROUP</string>
<key>value</key>
<string>!!!!YOUR SITE GOES HERE!!!</string>
</dict>
</array>
</dict>
</dict>
</plist>
- Application and Global Settings
- Deploying Microsoft Defender to macOS devices
- Automatic install of Code42 in Campus JAMF
- Compliance Configuration and Extension Attribute
- EPM Core team audit of Jamf Pro server
- Global Configuration Policies
- Global Security & Compliance policies
- MAC Address Randomization: How it works and What IT needs to know
- macOS Packet Firewall
- Nessus Agent deployment to campus Jamf instances
- OS Patching: UT Macintosh Security Updates and Reboot Policy
- Upgrade to future macOS major releases
- Application Usage Logs
- Jamf Connect
- Jamf - Site Administrator Policies
- Application installs and patching
- Installing UT-Track
- Centrally Managed iOS Password Standards
- Test and pilot
- Jamf - Server Maintenance and Update Process
- Welcome to Jamf - Service Overview
- Common Configuration Profiles for Site Administrators