Help

Configuration Profile to block "Defender Shim"

Jose_Amaya
New Contributor III

Posted on ‎10-16-2023 07:05 PM

Hi,

I'm using Jamf Pro (10.50.0-t1693149930} and I was wondering if someone can guide me to creating a configuration profile to block or prevent the "InstallDefender" from installing with Office 365. Any other suggestion affective suggestion is welcome.

https://learn.microsoft.com/en-us/deployoffice/mac/preferences-office#excluding-apps

Thanks in advance.

0 Kudos
4 REPLIES 4

shannon_pasto
Contributor

Posted on ‎10-16-2023 11:00 PM

Hi.

Below is the plist that you need.

Create a new profile, give it a name, add the payload "Application & Custom Settings", copy/paste the plist and use the domain "com.microsoft.office", scope in your targets and save.

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>InstallDefender</key>
	<false/>
</dict>
</plist>

 

Shannon

jamaya77
New Contributor II
In response to shannon_pasto

Posted on ‎10-19-2023 08:29 AM

Thank you of the suggestion, that worked!

0 Kudos

daniel_behan
Contributor III

Posted on ‎10-17-2023 06:05 AM

After deploying that config profile, I made a smart group of potential SHIM installs of computers enrolled 9.11.23 until the date I noticed the SHIM issue (in my case the 19th).  I assigned a policy to that group that runs the script below, which will uninstall that SHIM and run a custom JAMF event to properly install Defender.

 

#!/bin/bash

#Is Defender Installed
AppCheck=$( if [ ! -e /Applications/Microsoft\ Defender.app ]; then
echo "Not Installed"
else
echo "App Installed"
fi )

#Check for binary
simCheck=$( command -v mdatp )

# Attempt to confirm full Defender Install
if [ "$AppCheck" == "Not Installed" ]; then
echo "Defender Not Installed"
/usr/local/bin/jamf recon
/usr/local/bin/jamf policy -event ShimFix

elif [ "$AppCheck" == "App Installed" ] && [ "$simCheck" != "/usr/local/bin/mdatp" ]; then
echo "Only Shim Installed"
/bin/rm -fr /Applications/Microsoft\ Defender.app
/usr/local/bin/jamf recon
/usr/local/bin/jamf policy -event ShimFix
else
    echo "Defender fully installed"
fi

jamaya77
New Contributor II

Posted on ‎10-19-2023 08:36 AM

Thank you, Daniel, will definitely keep in this in mind. Fortunately, I only had one mac that shim installed, based on the smart group.

0 Kudos