Jamf Nation Community

How did you guys deploy this with JamF?

Not to resurrect an old thread, I agree with k0bject, Microsoft's doc on this assumes a lot of knowledge about launchd work that I don't have. Can either of you guys speak to how you actually got this deployed via Jamf?

I have recently followed Microsoft's doc, & setup all config profiles but stumbled at this same place, I'm also following this thread to learn, thank you for resurrecting the thread @tdudley

The way you can package things that are on a hard drive easily is to use Jamf Composer. That is available as part of your subscription. One way to use it is to do a before and after snapshot. However if you cancel out of the snapshot mode you can use it a different way. So get Composer to its main screen after cancelling the snapshot screen.

Then open finder and drill down to /Library/LaunchDaemons and locate the LaunchDaemon you want to deploy. Drag it to the left sidebar in Composer. You should see a new object created with the name of the LaunchDaemon on the left and in the right pane you should see the directory structure /Library/LaunchDaemons/yourdaemon

Rename the object to suit your purposes and select the object and make a DMG from it. Up load the DMG to your Jamf Pro Server. Deploy the Launch Daemon at the beginning of your Defender installation. Remember to deploy all the necessary Configuration Profiles before deploying Defender

Actually I looked at my current workflow and it's all done with scripts. Here's the LaunchDaemon script:

#!/bin/bash
# 2020-12-08 David London
# Defender-CreateScheduledScanLaunchDaemons.bash
# Create the Defender scheduled scan Launch Daemons using a script 


echo "Creating Weekly Full Scan plist /Library/LaunchDaemons/com.microsoft.wdav.schedfullscan.plist" 
# Weekly Full Scan 
echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.microsoft.wdav.schedfullscan</string>
    <key>ProgramArguments</key>
    <array>
        <string>sh</string>
        <string>-c</string>
        <string>/usr/local/bin/mdatp --scan --full</string>
    </array>
    <key>StartCalendarInterval</key>
    <dict>
        <key>Weekday</key>
        <integer>2</integer>
        <key>Hour</key>
        <integer>12</integer>
        <key>Minute</key>
        <integer>0</integer>
    </dict>
    <key>WorkingDirectory</key>
    <string>/usr/local/bin/</string>
</dict>
</plist>' > /Library/LaunchDaemons/com.microsoft.wdav.schedfullscan.plist


echo "Creating Daily Quick Scan plist /Library/LaunchDaemons/com.microsoft.wdav.schedquickscan.plist"
# Daily Quick Scan
echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.microsoft.wdav.schedquickscan</string>
    <key>ProgramArguments</key>
    <array>
        <string>sh</string>
        <string>-c</string>
        <string>/usr/local/bin/mdatp --scan --quick</string>
    </array>
    <key>StartCalendarInterval</key>
    <dict>
        <key>Hour</key>
        <integer>15</integer>
        <key>Minute</key>
        <integer>0</integer>
    </dict>
    <key>WorkingDirectory</key>
    <string>/usr/local/bin/</string>
</dict>
</plist>' > /Library/LaunchDaemons/com.microsoft.wdav.schedquickscan.plist


exit 0

Thank you @dlondon
I Will go through, and will get back here if I need help,
much appreciated.

Hello all! I am also struggling with this.

I used @dlondon 's script which works great at placing the plist files in the LaunchDaemon folder but the scheduled scans still don't work. I noticed that if I copy and paste the plist to my desktop then copy and paste it back into the LaunchDaemons folder (without making other changes except for the time) the plist takes effect and the permissions change. I think I need to adjust something either in the script or somewhere in my policy to make sure the correct permissions are inherited, but I am not exactly sure where. Any advice?

@skawada The script @dlondon posted doesn't set the ownership and permissions required for a LaunchDaemon. Add the following to the end of the script:

/usr/sbin/chown root:wheel "/Library/LaunchDaemons/com.microsoft.wdav.schedfullscan.plist"
/bin/chmod 644 "/Library/LaunchDaemons/com.microsoft.wdav.schedfullscan.plist"

/usr/sbin/chown root:wheel "/Library/LaunchDaemons/com.microsoft.wdav.schedquickscan.plist"
/bin/chmod 644 "/Library/LaunchDaemons/com.microsoft.wdav.schedquickscan.plist"

That will allow the LaunchDaemons to load the next time the Mac is restarted. If you want to load them immediately also add the following lines:

/bin/launchctl bootstrap system "/Library/LaunchDaemons/com.microsoft.wdav.schedfullscan.plist"
/bin/launchctl bootstrap system "/Library/LaunchDaemons/com.microsoft.wdav.schedquickscan.plist"

Alongside what is mentioned with regards to the correct permissions, test removing the dash from the string in the script - <string>/usr/local/bin/mdatp --scan --quick</string>.

Microsoft Documentation has it set as the following as an example: <string>/usr/local/bin/mdatp scan quick</string>

Then to test without restarting the device, set your new timings/schedule that you want to use and unload and reload the Daemon:

launchctl unload /Library/LaunchDaemons/com.microsoft.wdav.schedquickscan.plist
launchctl load /Library/LaunchDaemons/com.microsoft.wdav.schedquickscan.plist

Alternatively set your timings in the script. Execute script and restart the device.
Open Defender App, you should see the quickscan trigger at the schedule you set.

It appears you can also set schedule daily or weekly scan via jamf policy > Files and processes command:

mdatp scan quick
mdatp scan full

Then set to run at daily, weekly recurring check etc, use the client side limitations to limit to time of day if required.

I guess it depends if you prefer the overhead to be client side rather then Jamf server side.

@sdagley Thank you so much for that. That seemed to fix my script! It is working beautifully now.

@SBod Thank you for your input. I noticed that about the original string too and made changes accordingly. It hadn't occurred to me to use the files and processes command, that is a much simpler way of scheduling the scans. However, some of these devices will not consistently be enrolled in jamf, in which case, I wouldn't be able to use the command, but for devices we actively maintain I will be sure to keep that in mind!

I really appreciate this community so much, thank you all for your expertise!

Any tips on why it doesn't seem to be loading correctly for me? I've tried launchctl unload/load and a reboot, and have done the above chmod and bootstrap options when deploying it.
edit: launchctl error bootstrap 2 returns os/kern protection failure. I am using the System Extensions config profile to pre-approve com.microsoft.wdav.netext and com.microsoft.wdav.epsext
edit 2: Seems I needed to add the start command to my deployment script launchctl start /Library/LaunchDaemons/com.microsoft.wdav.schedquickscan.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.microsoft.wdav.schedquickscan</string>
    <key>ProgramArguments</key>
    <array>
        <string>sh</string>
        <string>-c</string>
        <string>/usr/local/bin/mdatp --scan --quick</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>StartCalendarInterval</key>
    <dict>
        <key>Hour</key>
        <integer>12</integer>
        <key>Minute</key>
        <integer>00</integer>
    </dict>
    <key>WorkingDirectory</key>
    <string>/usr/local/bin/</string>
</dict>
</plist>