Extension attribute Script
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-03-2025 11:46 AM
I am trying to setup an extension attribute to verify if MS defender is enabled on devices in our environment. When I save the EA I only get a response from 1 device but I need responses from all of my devices. Any advice would be appreciated! Thanks
#!/bin/sh
echo "<result>`mdatp health | grep real_time_protection_enabled| awk '{print $3}'`</result>"

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2025 11:59 AM - edited 03-04-2025 07:06 PM
@nhenderson You should use the full path to the mdatp binary, and don't assume it's installed so you can report an error it if isn't. Something like this:
#!/bin/sh
mdatpPath="/Path/To/mdatp"
result="Not Installed"
if [ -e "$mdatpPath" ]; then
result=$("$mdatpPath" health | grep real_time_protection_enabled | awk '{print $3}')
fi
echo "<result>$result</result>"
(You were also missing a space preceding the pipe between your grep and awk statements)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-03-2025 12:14 PM
I appreciate the quick response! I have made the changes and I will see if that works.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-06-2025 11:28 AM
Keep in mind that devices will only show updated information for a new Extension Attribute once they submit new inventory back to your Jamf Pro console. Just wanted to mention that because a lot of people get confused at first on this. It's not going to update on all Macs immediately after it's created.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-06-2025 12:22 PM
I can't believe nobody has created a FR to trigger a recon policy on all Macs when an EA is created/updated. :-)
