Microsoft Defender Recipe (macOS)

Description

~~Example~~Quick answer: This recipe ~~for deploying~~deploys Microsoft ~~Defender.~~Defender for Endpoint on macOS by combining Microsoft’s PKG and onboarding script with the required FileWave profiles and Filesets.

Ingredients

The ~~list~~deployment isuses ~~actually~~several ~~quite~~payloads, ~~extensive,~~so ~~due~~gather tothem before assigning the ~~necessary payloads:~~Fileset:

Microsoft Defender PKG
Deployment Script: MicrosoftDefenderATPOnboardingMacOs.sh
~~Below~~Provided ~~provided~~Installer/Uninstaller ~~Fileset~~Filesets from this article
Profiles for:
- Web Content Filter
- TCC allowances
- Notifications
- Data ~~Acceptance~~acceptance &and ~~Autoupdater~~Microsoft AutoUpdate
- System extensions and ~~Kernel~~legacy ~~Extensions~~kernel extensions

Downloads:

See below directions for deployment before associating with devices.

Microsoft Defender PKG and deployment script are available through the M365 Defender portal; details in the Microsoft Deployment KB:

The 'MicrosoftDefenderATPOnboardingMacOs.sh' is built by Microsoft with the appropriate licence code embedded into the script, such that the download is personal to the logged in account, when downloading.

               <key>OrgId</key>
                <string>[licence code here]</string>

The 'OnboardingInfo' key also has this code burnt into its value.

Directions

Download ~~all of~~ the ~~above~~Filesets ~~provided~~attached ~~Filesets.~~above. ~~Note the~~The Kernel Extension profile should only be ~~required~~needed for legacy ~~devices.~~devices that still require it.

Fileset Group

Create a Fileset Group in which to add each of these.

~~Profiles~~Install ~~should~~the beprofiles ~~installed firsts.~~first. The Installer Fileset has a requirement script tothat ~~ensure~~checks ~~Profiles~~for ~~are~~the ~~installed,~~profiles before ~~commencing with download~~downloading and ~~activation of~~activating the ~~Installer.~~installer.

The requirement script is designed to confirm ~~ALL~~that all required profiles are installed ~~in advance, with~~before the ~~exception~~installer ofruns, except for the legacy Kernel ~~Extension,~~Extension ~~since~~profile. ~~this~~If isyour ~~legacy.~~environment ~~The~~still ~~Profile ID of~~needs the Kernel Extension ~~may~~profile, beadd ~~added~~its Profile ID to the list within the Fileset. If ~~this is requirement, but~~you are ~~unsure how to approach this, just~~unsure, ask in ~~either~~the FileWave community channels linked from the ~~Discord,~~Resources ~~Alliance or Slack FileWave forums. Links available through the 'Resources'~~area of the FileWave ~~Website~~website.

Installer: 'wdav.pkg'

The 'Microsoft Defender Installer macOS' Fileset requires the downloaded PKG. Open the Fileset and drag the PKG into the same location as the '.placeholder' file; this placeholder file may be deleted.

Script: MicrosoftDefenderATPOnboardingMacOs.sh

Edit the text of the provided 'MicrosoftDefenderATPOnboardingMacOs.sh' file within the Fileset and paste in a copy of the script contents downloaded from Microsoft:

Profile Payload Values

The ~~Profiles~~profiles tothat manage ~~the~~Microsoft ~~AutoUpdater~~AutoUpdate and ~~Notifications~~notifications are configured with default ~~values,~~values. ~~consider~~Confirm ~~confirming an~~your internal ~~desired~~ process and adjust tothe ~~match.~~values if needed.

The 'AcknowledgedDataCollectionPolicy' key prevents a user notification pop-up from showing. Recommendation is to leave this value as set.

All other profile payload values should be correct at the time of writing, however, Microsoft may make changes over time which could require alteration of one or more of these.

Details pertaining to the contents of the payloads may be viewed in Microsoft's Defender Policies documentation; scroll down past the initial unnecessary information until you reach Step 4.

Assign to Devices

~~By way of either~~Use a ~~'Deployment'~~Deployment or ~~'Association'~~Association ~~within~~in ~~FileWave,~~FileWave to assign the Fileset to one or more test ~~devices~~devices. ~~and~~After ~~once happy~~validation, expand ~~this~~the assignment to ~~more~~additional devices.

Additional Information

The requirement script within the Installer Fileset isensures ~~designed~~the ~~to ensure all~~required profiles are ~~in place~~installed before ~~downloading~~download and ~~commencing~~installation ~~with the installation.~~begin. Script output ~~from~~appears ~~the~~in Client Info > Fileset Status ~~displays logged information.~~.

Example:

~~First~~In ~~time~~this example, the first script ~~ran,~~run found that the ~~Profiles~~profiles were not ~~yet~~ installed. On the next ~~run~~run, the profiles were installed and the requirement script exited with a value of 0.

Script Log:

----------------------- HEADER - Date: (Mon Sep 25 2023) - Time: (13:36:40) -----------------------
Set to match all profile IDs

Looking for profile: ml1063.local.5b1e7237-2773-4d3a-9627-361c4dd8a9b0.Configuration.5b1e7237-2773-4d3a-9627-361c4dd8a9b0
Profile found: FALSE

Looking for profile: ml1063.local.bd9007c3-41d6-45bb-a2bf-774ec901e4c2.Configuration.bd9007c3-41d6-45bb-a2bf-774ec901e4c2
Profile found: FALSE

Looking for profile: ml1063.local.7f249c3c-f79a-48cf-952c-dd178a00a5a6.Configuration.7f249c3c-f79a-48cf-952c-dd178a00a5a6
Profile found: FALSE

Looking for profile: ml1063.local.f68916cf-c1e0-47e2-a73c-700678267fe8.Configuration.f68916cf-c1e0-47e2-a73c-700678267fe8
Profile found: FALSE

Looking for profile: ml1063.local.4726b0a7-4f74-4369-8aeb-2450e4f0f935.Configuration.4726b0a7-4f74-4369-8aeb-2450e4f0f935
Profile found: FALSE
Only found 0 profiles from the supplied list of 5

----------------------- FOOTER - Date: (Mon Sep 25 2023) - Time: (13:36:41) - Exit code: (1) -----------------------

----------------------- HEADER - Date: (Mon Sep 25 2023) - Time: (13:39:31) -----------------------
Set to match all profile IDs

Looking for profile: ml1063.local.5b1e7237-2773-4d3a-9627-361c4dd8a9b0.Configuration.5b1e7237-2773-4d3a-9627-361c4dd8a9b0
Profile found: TRUE

Looking for profile: ml1063.local.bd9007c3-41d6-45bb-a2bf-774ec901e4c2.Configuration.bd9007c3-41d6-45bb-a2bf-774ec901e4c2
Profile found: TRUE

Looking for profile: ml1063.local.7f249c3c-f79a-48cf-952c-dd178a00a5a6.Configuration.7f249c3c-f79a-48cf-952c-dd178a00a5a6
Profile found: TRUE

Looking for profile: ml1063.local.f68916cf-c1e0-47e2-a73c-700678267fe8.Configuration.f68916cf-c1e0-47e2-a73c-700678267fe8
Profile found: TRUE

Looking for profile: ml1063.local.4726b0a7-4f74-4369-8aeb-2450e4f0f935.Configuration.4726b0a7-4f74-4369-8aeb-2450e4f0f935
Profile found: TRUE
All profiles found.  Exiting 0

----------------------- FOOTER - Date: (Mon Sep 25 2023) - Time: (13:39:33) - Exit code: (0) -----------------------

Subsequently, the Fileset downloaded and activated:

Client Log:

2023-09-25 13:39:34.758|main|INFO|CLIENT|about to downloadAllFileset files for Fileset MicroSoft Defender Installer macOS Installer Included, ID 736320, revision ID 736320
2023-09-25 13:39:35.697|main|INFO|CLIENT|Downloading Fileset MicroSoft Defender Installer macOS Installer Included, ID 736320, revision ID 736320
2023-09-25 14:03:49.650|main|INFO|CLIENT|finished downloadFileset files for Fileset MicroSoft Defender Installer macOS Installer Included, ID 736320, revision ID 736320
2023-09-25 14:03:50.285|main|INFO|CLIENT|Create all folders of fileset ID Fileset MicroSoft Defender Installer macOS Installer Included, ID 736320, revision ID 736320, version 4
2023-09-25 14:03:50.289|main|INFO|CLIENT|Activate all files of Fileset MicroSoft Defender Installer macOS Installer Included, ID 736320, revision ID 736320, version 4
2023-09-25 14:03:50.465|main|INFO|CLIENT|Done activating all 4 files of Fileset MicroSoft Defender Installer macOS Installer Included, ID 736320, revision ID 736320, version 4