Enabling PUA as part of Defender for Endpoint and configuring Custom Attributes for macOS using Intune
For the last week or so I have been working on addressing a recommendation flagged in the Defender portal that required configuring Potentially Unwanted Applications (PUA) for macOS.
As part of the recommendation, you can either put PUA in 'Audit' or 'Block' mode. I decided to configure it in 'Block' mode and in the process also felt it will be a good time to configure custom attribute for macOS to capture the status of this setting directly in Intune. While Intune's reporting capabilities are evolving ever so much, I feel there is still a lot of catching up to do when it comes to macOS as an operating system. For example, if you want to check the onboarding or AV status in general, you can easily run a report in Intune, but only for Windows. Sure, you can get status through various other methods like Defender Portal, or even by means of custom reports outside Intune, but this is not always desirable, especially for organizations that have heavily segmented teams with various roles, resulting in confining Intune administrators to Intune portal only. In my honest opinion, I will prefer to see all relevant endpoint management data in a single plane of glass, in this case, Intune.
While configuring PUA and creating a custom attribute for macOS to capture the status may seem straight forward, it actually wasn't for me to to say the least and so I decided to share my experience through this blog post.
Let's start by configuring PUA for macOS. There are multiple ways to configure it. You can create a preference configuration file, or a .mobileconfig file or send a shell command and configure through the mdatp utility. But the best option in my opinion is using the built-in setting in the Endpoint security AV profile which to be honest wasn't super obvious and easy to find. You need to enable the Threat type toggle first and only after that things become a lot clearer. Here is how you can go about setting things up -
1. Navigate to Microsoft Intune admin portal.
2. Go to Endpoint security -> Antivirus -> Create policy.
3. Select Platform as macOS and Profile as Microsoft Defender Antivirus.
4. Give a Name and a even a Description if needed.
5. Configure the following settings:
Note: Configuring acrhive_bomb is optional, but I configured it anyway. I will also suggest to test in 'Audit' mode first before enabling 'Block' mode. Since this is my test lab, I am straight away enabling in 'Block' mode.
6. Assign to a group of devices or users. I normally use the built-in virtual groups as much as possible and control the assignment through filters.
Note: You can configure the same settings using settings catalog, but I chose to use the endpoint security profile as I wanted all AV settings under a single profile.
Now let's configure the custom attributes for macOS. Let me start by saying that I love this feature. It gives the ability to expand the collection of inventory beyond what is currently available in Intune and is a perfectly good way to capture the status of Defender configuration right in Intune. To create a custom attribute for macOS, you first need to create .sh script. If you are looking for inspiration, then I will suggest to look at some of the awesome scripts created by Neil Johnson that can be found over here. Together with Yong Rhee, they both answered some of the questions I had so fair play to them.
To create a custom attribute for PUA status, here are the steps -
First, here is the script I put together -
#!/bin/sh
#set -x
var=$(/usr/local/bin/mdatp threat policy list | grep -a1 potentially_unwanted_application | sed 's/.*type: //' | awk {'print $2}' )
echo "PUA Status:" $var
Note: You can directly call mdatp utility, but chances are Intune may have difficulty locating the utility. During my testing, even though the script worked locally, it didn't run correctly from Intune resulting in custom attribute not populating despite reporting as successful. Therefore, I will suggest to use the absolute path /usr/local/bin/mdatp for calling the mdatp utility.
1. Navigate to Microsoft Intune admin portal.
2. Go to Devices -> macOS -> Custom attributes for macOS -> Add.
3. Give a Name and a even a Description if needed.
5. Configure the following settings:
Note: Select the data type of the result that the script returns. Available values are String, Integer, and Date.
6. Assign it to a device or user based group. Sadly this workload doesn't support filters, yet!
Additional Information:
- The shell script must echo the attribute to be reported and the data type of the output must match the data type of attribute in the custom attribute profile.
- The result returned by the shell script must be 20KB or less.
- Shell scripts provided in custom attribute profiles run every 8 hours on managed macOS devices.
Final results
After the policy applies, the configuration can be checked in the managed .plist or the .mobileconfig file com.microsoft.wdav locally on the macOS device.
You can check the status by running the following command in the terminal as well -
mdatp threat policy list
But that isn't enough, right? This is why we created the custom attribute to capture the status of PUA.
The custom attribute for PUA will get populated in Intune as well.
Comments
Post a Comment