macOS Defender -- health/config status, repairing misconfigured devices.

%3CLINGO-SUB%20id%3D%22lingo-sub-2280333%22%20slang%3D%22en-US%22%3EmacOS%20Defender%20--%20health%2Fconfig%20status%2C%20repairing%20misconfigured%20devices.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2280333%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20predecessor%20deployed%20Microsoft%20Defender%20to%20our%20macOS%20devices%20before%20deploying%20the%20configuration%20profiles%2C%3CBR%20%2F%3Eresulting%20in%20many%20of%20them%20not%20have%20any%20content%20in%20the%20device%20timeline%20in%20Security%20Center%20%3CA%20href%3D%22https%3A%2F%2Fsecuritycenter.windows.com%2Fmachines%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecuritycenter.windows.com%2Fmachines%3C%2FA%3E%3CBR%20%2F%3Eand%20in%20the%20terminal%20command%20run%20locally%20on%20the%20computers%3CBR%20%2F%3Emdatp%20--health%3CBR%20%2F%3Ereturning%3CBR%20%2F%3ErealTimeProtectionAvailable%20%3A%20false%3CBR%20%2F%3ErealTimeProtectionEnabled%20%3A%20false%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20I%20identify%20the%20computers%20that%20aren't%20configured%20correctly%2C%20and%20fix%20them%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPerhaps%20a%20macOS%20script%20that%20evaluates%20the%20MS%20Defender%20health%20of%20a%20device's%20install%2C%20logs%20it%2C%3CBR%20%2F%3Eand%20if%20there's%20a%20problem%2C%20deletes%20Defender%20from%20the%20computer%20%3F%3CBR%20%2F%3Esudo%20rm%20-rf%20%2FApplications%2FMicrosoft%5C%20Defender%5C%20%3CA%20href%3D%22http%3A%2F%2FATP.app%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2FATP.app%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThen%20Intune%20would%20automatically%20reinstall%20the%20%22required%22%20Defender%20app%2C%20which%20would%20now%20work%20properly%20because%20the%20prerequisite%20config%20profiles%20are%20now%20present%20at%20install.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EAnd%2C%20it'd%20be%20nice%20to%20know%20if%20there's%20proactive%20monitoring%20in%20Security%20Center%20letting%20me%20know%20that%20there's%20a%20config%20problem%20with%20a%20macOS%20connected%20device%2C%20besides%20having%20to%20run%20this%20command%20locally%20on%20every%20computer%3CBR%20%2F%3Emdatp%20--health%3CBR%20%2F%3Eand%20checking%20for%3CBR%20%2F%3ErealTimeProtectionAvailable%20%3A%20false%3CBR%20%2F%3ErealTimeProtectionEnabled%20%3A%20false%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

My predecessor deployed Microsoft Defender to our macOS devices before deploying the configuration profiles,
resulting in many of them not have any content in the device timeline in Security Center https://securitycenter.windows.com/machines
and in the terminal command run locally on the computers
mdatp --health
returning
realTimeProtectionAvailable : false
realTimeProtectionEnabled : false

 

How can I identify the computers that aren't configured correctly, and fix them?

 

Perhaps a macOS script that evaluates the MS Defender health of a device's install, logs it,
and if there's a problem, deletes Defender from the computer ?
sudo rm -rf /Applications/Microsoft\ Defender\ http://ATP.app


Then Intune would automatically reinstall the "required" Defender app, which would now work properly because the prerequisite config profiles are now present at install.


And, it'd be nice to know if there's proactive monitoring in Security Center letting me know that there's a config problem with a macOS connected device, besides having to run this command locally on every computer
mdatp --health
and checking for
realTimeProtectionAvailable : false
realTimeProtectionEnabled : false

0 Replies