Managing Microsoft System Center 2012 Endpoint Protection

Kedgar
Contributor

Is anyone deploying/using Microsoft SCCM 2012 for Mac in their environment? We recently went away from Symantec for many different things... including AV.

I have found there are various things I can get... albeit somewhat ugly. I don't see any documentation from Microsoft about any of this... but there are some command-line options

Virus Def Last Update and Version

app12977md:MacOS kedgar$ sudo grep -A 1 CONTINUOUS_ENGINE1] /Library/Application Support/Microsoft/scep/modules/data/updfiles/lastupd.ver | grep version | awk -F "=" '{print $2}'
11950 (20150716)

Microsoft SCEP Agent Version

app12977md:MacOS kedgar$ pwd
/Applications/System Center 2012 Endpoint Protection.app/Contents/MacOS
app12977md:MacOS kedgar$ sudo ./scep_kac -v
./scep_kac (scep) 4.5.22
25 REPLIES 25

dwandro92
Contributor III

My colleague @axnessj and I have found that it is not very well documented, however we have managed to figure out how to do a few things with it by poking around in files. We are using it on our Linux clients and managing it via Puppet, but we haven't had a chance to test it on OS X systems yet.

What exactly are you trying to report on or manage?

Kedgar
Contributor

@dwandro92, I was just putting this here to help others, and to see if anyone else has been able to glean anything decent from this application. I'd be quite interested to see your puppet manifest if you are so willing to share πŸ™‚ ken.edgar@gmail.com

Anyway... the things I'd like to do are:

-one Know what defs are on a machine (up to date/etc)
-two Desktop team can take this info and remediate machines that are not up to date
-three Know if viruses have been detected, and action (don't think this is possibile)
-four Unless you maybe list out what's in the quarantine

Aziz
Valued Contributor

I deployed SCEP around a month ago and wish it gave the statistics it showed in SCCM, but in Casper. I mean, even showing the amount of Mac viruses, updates and definition in SCCM would be good enough!

If any one has figured a way to report on these types of things, please share it with us!

calumhunter
Contributor III

@Kedgar Thanks! those two items are quite useful!

dwandro92
Contributor III

@Kedgar

-three Know if viruses have been detected, and action (don't think this is possibile)

You might be able to accomplish this by leveraging the following script:

/etc/opt/microsoft/scep/scripts/daemon_notification_script

I'm not sure if this is present on the Mac clients, but if it is, you could do something like this:

  1. Setup an extension attribute which checks for the existence of a text file on the client, and reads it if found.
  2. Modify the daemon notification script so that it performs these actions:
    • Outputs the virus detection info to the aforementioned text file
    • Performs a recon to update the extension attribute

Rather than redirecting output to a text file and running a recon, you could compile a binary that pulls in the variables as parameters (which are passed to it by the script) and uploads the data to the computer record via the API. This way, your API account credentials will be secure.

curlyryan
New Contributor II

@Kedgar Thanks for posting those two items, I have been tasked to try and get SCEP managed on the Macs as well in our environment.

I also have a ticket open with Microsoft regarding the manageability on the Mac side and waiting to hear back to see if there is anything I'm missing or is there and just not documented. I'll post my findings if I hear anything that may be useful.

Kedgar
Contributor

Microsoft's documentation is very little... and according to Technet, the Macintosh endpoint agent is unmanaged. I had a bit of trouble creating a Extension Attribute to get the virus def version and date because of a return character... but here is what I came up with below.

@dwandro92 , Unfortunately it appears the linux version differs on OS X... the daemon_notification_script is nowhere to be found. I'll have to find a way to either scrape logs (which are binary .dat files)... or do something else.

Hope this helps someone out there... enjoy πŸ™‚

#!/bin/bash
#
# Gathers Microsoft System Center Endpoint Protection Virus Def Version and Date

lastupd='scep/modules/data/updfiles/lastupd.ver'

cd /Library/Application Support/Microsoft/

if [ -f "$lastupd" ]
then
    scepVer=$(grep -A 1 CONTINUOUS_ENGINE1] $lastupd | grep version | cut -d "=" -f 2 | tr -d '
')
    echo "<result>$scepVer</result>"
else
    echo "<result>Not Installed</result>"
fi

Key1
New Contributor III

Totally agree the documentation on this product is woefully lacking. I've been trying to harden up the config and while I've had limited success using the scep.cfg files, what i really wanted to automate was the import config settings activity which also imports the gui.cfg and then most importantly implements the settings over the top of any changes that may have been made such as stopping the on access scanning.

While i have not been successful yet in applying the config, i have found another script in the pkg content that lets you run a scan from the command line with any settings you want.

/Applications/System Center 2012 Endpoint Protection.app/Contents/MacOS/scep_scan -h for details..

alan_trewartha
New Contributor III

^^All helpful stuff, thanks. Same .app folder "Contents/MacOS/scep_set -h" looks useful too

alan_trewartha
New Contributor III

I found using scep_set allows you to change the Contents/etc/scep.cfg file so e.g.

cd /Applications/System Center 2012 Endpoint Protection.app/Contents/MacOS/
./scep_set --set='privileged_users = "localadmin1:localadmin2"'
./scep_set --set='av_scan_app_unwanted = no'

and then

launchctl unload -w /Library/LaunchDaemons/com.microsoft.scep_daemon.plist
launchctl load -wF /Library/LaunchDaemons/com.microsoft.scep_daemon.plist

appears to reload that config. At least I can see a change via --set='scheduler_tasks=… takes effect in the list of schedules in the GUI ok.

alan_trewartha
New Contributor III

The application install we have doesn't create a file at /Library/Application Support/Microsoft/scep/modules/data/updfiles/lastupd.ver , but I can see some data inside the application here /Applications/System Center 2012 Endpoint Protection.app/Contents/var/lib/data/data.txt

So this looks like it gets the latest virus def update…

date -r $( grep LastUpdate= "/Applications/System Center 2012 Endpoint Protection.app/Contents/var/lib/data/data.txt" | cut -c12- ) "+%F"

ndeal
New Contributor III

These snippets are for version 4.5.22 (doesn't appear to work on earlier rev's of the client, although maybe the 4.5.2X in general will work - haven't tested that.

Version reporting:

if [ -f "/Library/Application Support/Microsoft/scep/modules/data/updfiles/lastupd.ver" ] ; then VERSION=$( "/Applications/System Center 2012 Endpoint Protection.app/Contents/MacOS/scep_kac" -v | awk -F " " '{print $7}' ) else VERSION="File Missing" fi echo "<result>$VERSION</result>"

Definition reporting:

if [ -f "/Library/Application Support/Microsoft/scep/modules/data/updfiles/lastupd.ver" ] ; then VERSION=$( cat "/Library/Application Support/Microsoft/scep/modules/data/updfiles/lastupd.ver" | grep -A 1 CONTINUOUS_ENGINE1]|grep version | awk -F"=" '{print $2}' ) else VERSION="File Missing" fi echo "<result>$VERSION</result>"

Count of realtime scan infections:

if [ -f "/Library/Application Support/Microsoft/scep/logs/stats.onaccess" ] ; then COUNT=$( cat "/Library/Application Support/Microsoft/scep/logs/stats.onaccess" | grep infected | cut -d' ' -f2 ) else COUNT="File Missing" fi echo "<result>$COUNT</result>"

Count of Computer Scan infections:

if [ -f "/Library/Application Support/Microsoft/scep/logs/stats.ondemand" ] ; then COUNT=$( cat "/Library/Application Support/Microsoft/scep/logs/stats.ondemand" | grep infected | cut -d' ' -f2 ) else COUNT="File Missing" fi echo "<result>$COUNT</result>"

Count of realtime scan items cleaned:

if [ -f "/Library/Application Support/Microsoft/scep/logs/stats.onaccess" ] ; then COUNT=$( cat "/Library/Application Support/Microsoft/scep/logs/stats.onaccess" | grep cleaned | cut -d' ' -f2 ) else COUNT="File Missing" fi echo "<result>$COUNT</result>"

Count of Computer Scan Items cleaned:

if [ -f "/Library/Application Support/Microsoft/scep/logs/stats.ondemand" ] ; then COUNT=$( cat "/Library/Application Support/Microsoft/scep/logs/stats.ondemand" | grep cleaned | cut -d' ' -f2 ) else COUNT="File Missing" fi echo "<result>$COUNT</result>"

gachowski
Valued Contributor II

Hey Everyone,

It's been a year or two, but when I last checked, MS Mac Endpoint Protection did not look for Mac viruses.

Anybody have more up-to-date info and can you point me to documentation that confirms? : )

Thank you ver much !!

C

JustDeWon
Contributor III

quick question.. Have anyone figured out a script to create an exception for certain file paths?

habibalby
New Contributor

Hi All,
Anyone get around this... I've tried running the below shell script as a compliance rule setting in SCCM and seems somewhat shows an accurate results by fetching the AVSign value...

Anyone can help please...

Since SCCM doesn't give any additional visibility on the Mac Clients if they are getting AV/Antispam updates or they are infected etc etc... there is a command that can be run on the Terminal of the MacBook client to fetch those details,

!/bash /Applications/ .scep/Contents/MacOS/scep_daemon --status

This command output

RTPStatus=Enabled
ClientVer=4.5.22.0
AVSigsVer=10886 (20141216)
AVSigsDate=2016-11-02T09:22:21
AntivirusAntispywareModVer=1446 (20141208)
SystemState=Maximum protection
AutomaticUpdateSignature=Enabled
StartupScanAfterLogon=Enabled
StartupScanAfterUpdate=Enabled
RTPEventMask=open:create:exec
RTPAdvHeuristic=Disabled
RTPAdvHeuristic=Disabled
Exec=Disabled
RTPAdvHeuristicCreate=Enabled
RTPStatistics=Infected:0|Cleaned:0|Deleted:0
ScanStatistics=Infected:0|Cleaned:0|Deleted:0

Much appreciate your support on this...

Regards,

wangl2
Contributor

Hi Guys,
How do you push out definition update whether using Casper or ARD?
Thanks.

a_stonham
Contributor II

@wangl2 SCEP should be pulling its definition updates down by default.

BGV652
New Contributor II

Am I the only one experiencing a massive lag while starting up SCEP for the first time after startup of my clients?
SCEP causes a frozen macOS for at least 20-30 seconds.
Even the Activity Monitor is not able to log during the startup of SCEP.

JS_WWU
New Contributor III

Anyone have anything new to add?

We have been using SCEP for both Windows and Mac, and management would like to get reporting like the Windows side has.

I did come across and older UserVoice requesting that the Windows reporting functionality be added to the Mac client:
https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/12514446-make-the-same-report-functions-available-in-ep-mac

ftiff
Contributor

FYI @neil.martin83 did a great job documenting some of this!

Part 1 - Changing global settings with scep_set
Part 2 - Reading the logs
Part 3 - User-specific GUI preferences

nssabol
New Contributor II

This is a great thread - thank you all for sharing the approaches and code to capture SCEP extension attributes/initiate scans/etc.! We were looking at moving to SCEP exclusively as well but were just made aware that System Center Endpoint Protection for macOS and Linux will be EOL by the end of the year (2018):

https://techcommunity.microsoft.com/t5/Configuration-Manager-Blog/End-of-Support-for-SCEP-for-Mac-and-SCEP-for-Linux-on-December/ba-p/286257

It looks like ESET may still be a possibility for macOS but the Linux version will be completely gone. I am wagering that much of the knowledge in this thread will also apply to ESET since SCEP is essentially the same product. We will see.

Just wanted to pass this along.

Thank you all again,
-Neil

a_simmons
Contributor II

@nssabol have you tested to see if the cfg file works the same using ESET?

cyphers
New Contributor

Hey everyone,

I'm helping evaluate moving to ESET from SCEP for a year after the announcement. If anyone comes across helpful info, it would be appreciated! We just tested ESET on a fresh 10.14 install and there are a few prompts for profiles that look like they'll be added to the 10.9 release?

1st prompt: requests access to the entire disk, must be user/profile approved.

2nd prompt: New network connection detected (asks for profile)

alv2015591
New Contributor III

This article is awesome..
https://soundmacguy.wordpress.com/2017/09/18/managing-microsoft-system-center-endpoint-protection-scep-part-1/
https://soundmacguy.wordpress.com/2017/09/26/managing-microsoft-system-center-endpoint-protection-scep-part-2/
https://soundmacguy.wordpress.com/2017/11/19/managing-microsoft-system-center-endpoint-protection-scep-part-3/

I used this to configure all my settings... and I have had zero problems. Also do you have your Approve Kernel extensions profile configured in the JSS?

andrew_nicholas
Valued Contributor

According to the ESET forum, the FDA prompt will be correctly profile configurable (PPPC/TCC) in the next version, out ~January 2019.