Enabling PUA as part of Defender for Endpoint and configuring Custom Attributes for macOS using Intune

-
For the last week or so I have been working on addressing a recommendation flagged in the Defender portal that required configuring Potentially Unwanted Applications (PUA) for macOS.



As part of the recommendation, you can either put PUA in 'Audit' or 'Block' mode. I decided to configure it in 'Block' mode and in the process also felt it will be a good time to configure custom attribute for macOS to capture the status of this setting directly in Intune. While Intune's reporting capabilities are evolving ever so much, I feel there is still a lot of catching up to do when it comes to macOS as an operating system. For example, if you want to check the onboarding or AV status in general, you can easily run a report in Intune, but only for Windows. Sure, you can get status through various other methods like Defender Portal, or even by means of custom reports outside Intune, but this is not always desirable, especially for organizations that have heavily segmented teams with various roles, resulting in confining Intune administrators to Intune portal only. In my honest opinion, I will prefer to see all relevant endpoint management data in a single plane of glass, in this case, Intune.

While configuring PUA and creating a custom attribute for macOS to capture the status may seem straight forward, it actually wasn't for me to to say the least and so I decided to share my experience through this blog post.

Let's start by configuring PUA for macOS. There are multiple ways to configure it. You can create a preference configuration file, or a .mobileconfig file or send a shell command and configure through the mdatp utility. But the best option in my opinion is using the built-in setting in the Endpoint security AV profile which to be honest wasn't super obvious and easy to find. You need to enable the Threat type toggle first and only after that things become a lot clearer. Here is how you can go about setting things up -

2. Go to Endpoint security -> Antivirus -> Create policy.
3. Select Platform as macOS and Profile as Microsoft Defender Antivirus.
4. Give a Name and a even a Description if needed.
5. Configure the following settings:

Note: Configuring acrhive_bomb is optional, but I configured it anyway. I will also suggest to test in 'Audit' mode first before enabling 'Block' mode. Since this is my test lab, I am straight away enabling in 'Block' mode.

6. Assign to a group of devices or users. I normally use the built-in virtual groups as much as possible and control the assignment through filters.


Note: You can configure the same settings using settings catalog, but I chose to use the endpoint security profile as I wanted all AV settings under a single profile.

Now let's configure the custom attributes for macOS. Let me start by saying that I love this feature. It gives the ability to expand the collection of inventory beyond what is currently available in Intune and is a perfectly good way to capture the status of Defender configuration right in Intune. To create a custom attribute for macOS, you first need to create .sh script. If you are looking for inspiration, then I will suggest to look at some of the awesome scripts created by Neil Johnson that can be found over here. Together with Yong Rhee, they both answered some of the questions I had so fair play to them. 

To create a custom attribute for PUA status, here are the steps -

First, here is the script I put together -

#!/bin/sh
#set -x

var=$(/usr/local/bin/mdatp threat policy list | grep -a1 potentially_unwanted_application | sed 's/.*type: //' | awk {'print $2}' )
echo "PUA Status:" $var

Note: You can directly call mdatp utility, but chances are Intune may have difficulty locating the utility. During my testing, even though the script worked locally, it didn't run correctly from Intune resulting in custom attribute not populating despite reporting as successful. Therefore, I will suggest to use the absolute path /usr/local/bin/mdatp for calling the mdatp utility.

2. Go to Devices -> macOS -> Custom attributes for macOS -> Add.
3. Give a Name and a even a Description if needed.
5. Configure the following settings:


Note: Select the data type of the result that the script returns. Available values are String, Integer, and Date.

6. Assign it to a device or user based group. Sadly this workload doesn't support filters, yet!

Additional Information:

- The shell script must echo the attribute to be reported and the data type of the output must match the data type of attribute in the custom attribute profile.

- The result returned by the shell script must be 20KB or less.

- Shell scripts provided in custom attribute profiles run every 8 hours on managed macOS devices.

Final results

After the policy applies, the configuration can be checked in the managed .plist or the .mobileconfig file com.microsoft.wdav locally on the macOS device.


You can check the status by running the following command in the terminal as well -

mdatp threat policy list


But that isn't enough, right? This is why we created the custom attribute to capture the status of PUA.

The custom attribute for PUA will get populated in Intune as well.


That's it for now. I am really getting into the groove of managing macOS devices so if you have any interesting scenarios that you will like me to take on, then look me up on Linkedin or X. Thank you for reading. 

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Configure CloudAPAuthEnabled to support Conditional Access in Google Chrome natively

-
Image
Starting with version 111 of Google Chrome, organizations can leverage conditional access policies natively using  CloudAPAuthEnabled . Before this release, Conditional access policies were only supported on Google Chrome by using additional extensions like Windows Accounts and Office Online . If you want to know more about the use of these extensions, then you can read all about it over here . Let's see the new policy involving  CloudAPAuthEnabled in a little detail and how can organization configure it using enterprise device management solutions. CloudAPAuthEnabled   is a setting that can be configured using the policy  Configures automatic user sign-in for accounts backed by a Microsoft® cloud identity provider .  By setting this policy to 1 (Enabled), users who sign into their computer with an account backed by a Microsoft cloud identity provider or who have added a work or school account to Microsoft Windows, can be signed into web properties using that identity automatical
Read more