Configuration Profiles with JSON Custom Schema

Stevie
Contributor

Hello,

I not sure if anyone has worked this out or if its even possible. I am trying to add a custom schema for Microsoft Defender ATP "com.microsoft.wdav" to Jamf. I have worked out most of the setting which are required for the plist. The problem which I have got stuck on is how do you change an object type based on a selection. The below JSON will allow folders to be whitelisted but I need to be able to change the exclusions array from 3 fields ($type, isDirectory and path) to 2 fields ($type, name) based on if it's a folder or file.

Add advise is welcome.

{
  "title": "com.microsoft.wdav",
  "description": "Preference Domain: com.microsoft.wdav,  Application: Microsoft Defender ATP",
  "type": "object",
  "properties": {
    "antivirusEngine": {
      "properties": {
        "allowedThreats": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "$type": {
                "type": "string"
              },
              "isDirectory": {
                "type": "boolean"
              },
              "path": {
                "type": "string"
              }
            },
            "required": [
              "$type",
              "isDirectory",
              "path"
            ]
          }
        },
        "enableRealTimeProtection": {
          "type": "boolean",
          "default": "true",
          "description": "Specify whether to enable real-time protection, which scans files as they are accessed."
        },
        "passiveMode": {
          "type": "boolean",
          "default": "false",
          "description": "Specify whether the antivirus engine runs in passive mode."
        },
        "exclusionsMergePolicy": {
          "type": "string",
          "default": "merge",
          "description": "Specify the merge policy for exclusions. This can be a combination of administrator-defined and user-defined exclusions (merge) or only administrator-defined exclusions (admin_only). This setting can be used to restrict local users from defining their own exclusions."
        },
        "exclusions": {
          "description ": "Specify entities excluded from being scanned. Exclusions can be specified by full paths, extensions, or file names.",
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "$type": {
                "type": "string"
              },
              "isDirectory": {
                "type": "boolean"
              },
              "path": {
                "type": "string"
              }
            },
            "required": [
              "$type",
              "isDirectory",
              "path"
            ]
          }
        },
        "threatTypeSettings": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "$type": {
                "type": "string"
              },
              "path": {
                "type": "string"
              }
            },
            "required": [
              "$type",
              "path"
            ]
          }
        }
      }
    },
    "cloudservice": {
      "properties": {
        "automaticSampleSubmission": {
          "type": "boolean",
          "default": "true",
          "description": "Determines whether suspicious samples (that are likely to contain threats) are sent to Microsoft. You are prompted if the submitted file is likely to contain personal information."
        },
        "diagnosticLevel": {
          "type": "string",
          "default": "optional",
          "description": "Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. This setting determines the level of diagnostics sent by Microsoft Defender ATP to Microsoft."
        },
        "enabled": {
          "type": "boolean",
          "default": "true"
        }
      }
    }
  }
}
2 REPLIES 2

rustymyers
New Contributor II

Hi Stevie,
I started playing more with your schema and added some more to it. In addition to some remaining preferences that I added, I looked at the 'exclusions' and I think I have a solution, although not pretty. The idea I had was to include all of the possible keys, "$type", "isDirectory", "path", "extension", and "name" so that when configuring the preference you can add or remove the keys not needed. This allows me to specify an excludedPath, excludedFileExtension, and excludedFileName within the same schema. Let me know your thoughts!

{
    "title": "Microsoft Defender ATP (com.microsoft.wdav)",
    "description": "Preference Domain: com.microsoft.wdav,  Application: Microsoft Defender ATP  Visit <a href='https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences'>https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences</a> for preference information",
    "type": "object",
    "properties": {
        "antivirusEngine": {
            "title": "AntiVirus Config",
            "description": "Configure AntiVirus Engine.",
            "properties": {
                "allowedThreats": {
                    "title": "Allowed Threats",
                    "description": "Specify threats by name that are not blocked by Microsoft Defender ATP for Mac",
                    "type": "array",
                    "items": {
                        "type": "string"
                    }
                },

                "disallowedThreatActions": {
                    "title": "Disallowed Threat Actions",
                    "description": "Restricts the actions that the local user of a device can take when threats are detected. Possible Values: allow (restricts users from allowing threats) & restore (restricts users from restoring threats from the quarantine)",
                    "type": "array",
                    "items": {
                        "type": "string"
                    }
                },
                "enableRealTimeProtection": {
                    "type": "boolean",
                    "default": "true",
                    "title": "Enable Real Time Protection",
                    "description": "Specify whether to enable real-time protection, which scans files as they are accessed."
                },
                "passiveMode": {
                    "type": "boolean",
                    "default": "false",
                    "title": "Enable Passive Mode",
                    "description": "Specify whether the antivirus engine runs in passive mode."
                },
                "exclusionsMergePolicy": {
                    "type": "string",
                    "default": "merge",
                    "title": "Exclusions Merge Policy",
                    "description": "Specify the merge policy for exclusions. This can be a combination of administrator-defined and user-defined exclusions (merge) or only administrator-defined exclusions (admin_only). This setting can be used to restrict local users from defining their own exclusions."
                },
                "exclusions": {
                    "type": "array",
                    "title": "Exclusions",
                    "description": "Specify entities excluded from being scanned. Exclusions can be specified by full paths, extensions, or file names. More information and examples availiable at https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences",
                    "items": {
                        "type": "object",
                        "properties": {
                            "$type": {
                                "type": "string"
                            },
                            "isDirectory": {
                                "type": "boolean"
                            },
                            "path": {
                                "type": "string"
                            },
                            "name": {
                                "type": "string"
                            },
                            "extension": {
                                "type": "string"
                            }
                        }
                    }
                },
                "threatTypeSettings": {
                    "type": "array",
                    "title": "Threat Type Settings",
                    "description": "Specify how certain threat types are handled by Microsoft Defender ATP for Mac.",
                    "items": {
                        "type": "object",
                        "properties": {
                            "key": {
                                "type": "string"
                            },
                            "value": {
                                "type": "string"
                            }
                        },
                        "required": [
                            "key",
                            "value"
                        ]
                    }
                }
            }
        },
        "cloudservice": {
            "title": "CloudService Config",
            "description": "Configure the cloud-driven protection features of Microsoft Defender ATP for Mac.",
            "properties": {
                "automaticSampleSubmission": {
                    "type": "boolean",
                    "default": "true",
                    "title": "Automatic Sample Submission",
                    "description": "Determines whether suspicious samples (that are likely to contain threats) are sent to Microsoft. You are prompted if the submitted file is likely to contain personal information."
                },
                "diagnosticLevel": {
                    "type": "string",
                    "default": "optional",
                    "title": "Diagnostic Level",
                    "description": "Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. This setting determines the level of diagnostics sent by Microsoft Defender ATP to Microsoft. Values: Optional (default) & Required"
                },
                "enabled": {
                    "type": "boolean",
                    "default": "true",
                    "title": "Enable CloudService Config",
                    "description": "Specify whether to enable cloud-delivered protection the device or not."
                }
            }
        },
        "edr": {
            "title": "Endpoint Detection and Response (EDR) preferences",
            "description": "Manage the preferences of the Endpoint Detection and Response (EDR) component of Microsoft Defender ATP for Mac.",
            "properties": {
                "earlyPreview": {
                    "type": "boolean",
                    "default": "true",
                    "title": "Enable Early Preview",
                    "description": "Set up your Mac machine to be an Insider machine to enable preview features."
                },
                "tags": {
                    "title": "Machine Tags",
                    "description": "Provide a tag to machines for provisioning into console. (only one tag per machine is supported)",
                    "type": "array",
                    "items": {
                        "type": "object",
                        "properties": {
                            "key": {
                                "title": "Key",
                                "description": "Leave set as GROUP",
                                "type": "string",
                                "default": "GROUP"
                            },
                            "value": {
                                "title": "Value",
                                "description": "Enter EAD Prefix (e.g. 'A1')",
                                "type": "string",
                                "default": "<EAD PREFIX>"
                            }
                        }
                    }
                }
            }
        },
        "userInterface": {
            "title": "Show Defender ATP in Menu Bar",
            "description": "Show or hide Defender ATP in Menu Bar.",
            "type": "boolean",
            "default": "true"
        }
    }
}

Jacek_ADC
Contributor

Hi guys

I just started a few days ago to use defender on our M1 MacBooks. I have done the all the configurations from:
Set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro | Microsoft Docs

and

New configuration profiles for macOS Catalina and newer versions of macOS | Microsoft Docs

which are necessary. As configuration I use this json schema.

mdatp-xplat/schema.json at master · microsoft/mdatp-xplat · GitHub

Defender onboarding and the functionality works fine from the first time, but when checking the function for the threats

Xnip2021-09-28_10-38-33.png

Xnip2021-09-28_10-25-52.png

I am not able to save this settings. I have tested it maybe 20 times in each direction 🙂 but was never successfull. So in the end in the defender on the MacBook the buttons are visible and usable for the user.

Xnip2021-09-28_10-23-34.png

Someone an idea if something is wrong with the json schema or have an tip how to disable this funcion on the client.
The issue is, that I can change it in the GUI, but it will be never written in the configuration.

I am thankful for any help.

Regards

J