Posted on 07-16-2015 12:20 PM
Is anyone deploying/using Microsoft SCCM 2012 for Mac in their environment? We recently went away from Symantec for many different things... including AV.
I have found there are various things I can get... albeit somewhat ugly. I don't see any documentation from Microsoft about any of this... but there are some command-line options
Virus Def Last Update and Version
app12977md:MacOS kedgar$ sudo grep -A 1 CONTINUOUS_ENGINE1] /Library/Application Support/Microsoft/scep/modules/data/updfiles/lastupd.ver | grep version | awk -F "=" '{print $2}'
11950 (20150716)
Microsoft SCEP Agent Version
app12977md:MacOS kedgar$ pwd
/Applications/System Center 2012 Endpoint Protection.app/Contents/MacOS
app12977md:MacOS kedgar$ sudo ./scep_kac -v
./scep_kac (scep) 4.5.22
Posted on 07-16-2015 01:03 PM
My colleague @axnessj and I have found that it is not very well documented, however we have managed to figure out how to do a few things with it by poking around in files. We are using it on our Linux clients and managing it via Puppet, but we haven't had a chance to test it on OS X systems yet.
What exactly are you trying to report on or manage?
Posted on 07-16-2015 02:30 PM
@dwandro92, I was just putting this here to help others, and to see if anyone else has been able to glean anything decent from this application. I'd be quite interested to see your puppet manifest if you are so willing to share :) ken.edgar@gmail.com
Anyway... the things I'd like to do are:
-one Know what defs are on a machine (up to date/etc)
-two Desktop team can take this info and remediate machines that are not up to date
-three Know if viruses have been detected, and action (don't think this is possibile)
-four Unless you maybe list out what's in the quarantine
Posted on 07-16-2015 05:38 PM
I deployed SCEP around a month ago and wish it gave the statistics it showed in SCCM, but in Casper. I mean, even showing the amount of Mac viruses, updates and definition in SCCM would be good enough!
If any one has figured a way to report on these types of things, please share it with us!
Posted on 07-16-2015 06:27 PM
@Kedgar Thanks! those two items are quite useful!
Posted on 07-17-2015 05:41 AM
-three Know if viruses have been detected, and action (don't think this is possibile)
You might be able to accomplish this by leveraging the following script:
/etc/opt/microsoft/scep/scripts/daemon_notification_script
I'm not sure if this is present on the Mac clients, but if it is, you could do something like this:
Rather than redirecting output to a text file and running a recon, you could compile a binary that pulls in the variables as parameters (which are passed to it by the script) and uploads the data to the computer record via the API. This way, your API account credentials will be secure.
Posted on 07-17-2015 11:01 AM
@Kedgar Thanks for posting those two items, I have been tasked to try and get SCEP managed on the Macs as well in our environment.
I also have a ticket open with Microsoft regarding the manageability on the Mac side and waiting to hear back to see if there is anything I'm missing or is there and just not documented. I'll post my findings if I hear anything that may be useful.
Posted on 07-17-2015 11:50 AM
Microsoft's documentation is very little... and according to Technet, the Macintosh endpoint agent is unmanaged. I had a bit of trouble creating a Extension Attribute to get the virus def version and date because of a return character... but here is what I came up with below.
@dwandro92 , Unfortunately it appears the linux version differs on OS X... the daemon_notification_script is nowhere to be found. I'll have to find a way to either scrape logs (which are binary .dat files)... or do something else.
Hope this helps someone out there... enjoy :)
#!/bin/bash
#
# Gathers Microsoft System Center Endpoint Protection Virus Def Version and Date
lastupd='scep/modules/data/updfiles/lastupd.ver'
cd /Library/Application Support/Microsoft/
if [ -f "$lastupd" ]
then
scepVer=$(grep -A 1 CONTINUOUS_ENGINE1] $lastupd | grep version | cut -d "=" -f 2 | tr -d '
')
echo "<result>$scepVer</result>"
else
echo "<result>Not Installed</result>"
fi
Posted on 09-15-2015 04:22 AM
Totally agree the documentation on this product is woefully lacking. I've been trying to harden up the config and while I've had limited success using the scep.cfg files, what i really wanted to automate was the import config settings activity which also imports the gui.cfg and then most importantly implements the settings over the top of any changes that may have been made such as stopping the on access scanning.
While i have not been successful yet in applying the config, i have found another script in the pkg content that lets you run a scan from the command line with any settings you want.
/Applications/System Center 2012 Endpoint Protection.app/Contents/MacOS/scep_scan -h for details..
Posted on 12-08-2015 02:49 AM
^^All helpful stuff, thanks. Same .app folder "Contents/MacOS/scep_set -h" looks useful too
Posted on 12-08-2015 03:55 AM
I found using scep_set allows you to change the Contents/etc/scep.cfg file so e.g.
cd /Applications/System Center 2012 Endpoint Protection.app/Contents/MacOS/
./scep_set --set='privileged_users = "localadmin1:localadmin2"'
./scep_set --set='av_scan_app_unwanted = no'
and then
launchctl unload -w /Library/LaunchDaemons/com.microsoft.scep_daemon.plist
launchctl load -wF /Library/LaunchDaemons/com.microsoft.scep_daemon.plist
appears to reload that config. At least I can see a change via --set='scheduler_tasks=… takes effect in the list of schedules in the GUI ok.
Posted on 12-09-2015 04:12 AM
The application install we have doesn't create a file at /Library/Application Support/Microsoft/scep/modules/data/updfiles/lastupd.ver , but I can see some data inside the application here /Applications/System Center 2012 Endpoint Protection.app/Contents/var/lib/data/data.txt
So this looks like it gets the latest virus def update…
date -r $( grep LastUpdate= "/Applications/System Center 2012 Endpoint Protection.app/Contents/var/lib/data/data.txt" | cut -c12- ) "+%F"
Posted on 02-05-2016 08:03 AM
These snippets are for version 4.5.22 (doesn't appear to work on earlier rev's of the client, although maybe the 4.5.2X in general will work - haven't tested that.
Version reporting:
if [ -f "/Library/Application Support/Microsoft/scep/modules/data/updfiles/lastupd.ver" ] ; then VERSION=$( "/Applications/System Center 2012 Endpoint Protection.app/Contents/MacOS/scep_kac" -v | awk -F " " '{print $7}' ) else VERSION="File Missing" fi echo "<result>$VERSION</result>"
Definition reporting:
if [ -f "/Library/Application Support/Microsoft/scep/modules/data/updfiles/lastupd.ver" ] ; then VERSION=$( cat "/Library/Application Support/Microsoft/scep/modules/data/updfiles/lastupd.ver" | grep -A 1 CONTINUOUS_ENGINE1]|grep version | awk -F"=" '{print $2}' ) else VERSION="File Missing" fi echo "<result>$VERSION</result>"
Count of realtime scan infections:
if [ -f "/Library/Application Support/Microsoft/scep/logs/stats.onaccess" ] ; then COUNT=$( cat "/Library/Application Support/Microsoft/scep/logs/stats.onaccess" | grep infected | cut -d' ' -f2 ) else COUNT="File Missing" fi echo "<result>$COUNT</result>"
Count of Computer Scan infections:
if [ -f "/Library/Application Support/Microsoft/scep/logs/stats.ondemand" ] ; then COUNT=$( cat "/Library/Application Support/Microsoft/scep/logs/stats.ondemand" | grep infected | cut -d' ' -f2 ) else COUNT="File Missing" fi echo "<result>$COUNT</result>"
Count of realtime scan items cleaned:
if [ -f "/Library/Application Support/Microsoft/scep/logs/stats.onaccess" ] ; then COUNT=$( cat "/Library/Application Support/Microsoft/scep/logs/stats.onaccess" | grep cleaned | cut -d' ' -f2 ) else COUNT="File Missing" fi echo "<result>$COUNT</result>"
Count of Computer Scan Items cleaned:
if [ -f "/Library/Application Support/Microsoft/scep/logs/stats.ondemand" ] ; then COUNT=$( cat "/Library/Application Support/Microsoft/scep/logs/stats.ondemand" | grep cleaned | cut -d' ' -f2 ) else COUNT="File Missing" fi echo "<result>$COUNT</result>"
Posted on 02-06-2016 05:10 PM
Hey Everyone,
It's been a year or two, but when I last checked, MS Mac Endpoint Protection did not look for Mac viruses.
Anybody have more up-to-date info and can you point me to documentation that confirms? : )
Thank you ver much !!
C
Posted on 06-30-2016 08:49 AM
quick question.. Have anyone figured out a script to create an exception for certain file paths?
Posted on 11-07-2016 06:57 AM
Hi All,
Anyone get around this... I've tried running the below shell script as a compliance rule setting in SCCM and seems somewhat shows an accurate results by fetching the AVSign value...
Anyone can help please...
Since SCCM doesn't give any additional visibility on the Mac Clients if they are getting AV/Antispam updates or they are infected etc etc... there is a command that can be run on the Terminal of the MacBook client to fetch those details,
!/bash /Applications/ .scep/Contents/MacOS/scep_daemon --status
This command output
RTPStatus=Enabled
ClientVer=4.5.22.0
AVSigsVer=10886 (20141216)
AVSigsDate=2016-11-02T09:22:21
AntivirusAntispywareModVer=1446 (20141208)
SystemState=Maximum
protection
AutomaticUpdateSignature=Enabled
StartupScanAfterLogon=Enabled
StartupScanAfterUpdate=Enabled
RTPEventMask=open:create:exec
RTPAdvHeuristic=Disabled
RTPAdvHeuristic=Disabled
Exec=Disabled
RTPAdvHeuristicCreate=Enabled
RTPStatistics=Infected:0|Cleaned:0|Deleted:0
ScanStatistics=Infected:0|Cleaned:0|Deleted:0
Much appreciate your support on this...
Regards,
Posted on 01-11-2017 02:27 PM
Hi Guys,
How do you push out definition update whether using Casper or ARD?
Thanks.
Posted on 01-19-2017 05:58 PM
@wangl2 SCEP should be pulling its definition updates down by default.
Posted on 05-03-2017 07:36 AM
Am I the only one experiencing a massive lag while starting up SCEP for the first time after startup of my clients?
SCEP causes a frozen macOS for at least 20-30 seconds.
Even the Activity Monitor is not able to log during the startup of SCEP.
Posted on 08-15-2017 02:42 PM
Anyone have anything new to add?
We have been using SCEP for both Windows and Mac, and management would like to get reporting like the Windows side has.
I did come across and older UserVoice requesting that the Windows reporting functionality be added to the Mac client:
https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/12514446-make-the-same-report-functions-available-in-ep-mac
Posted on 11-22-2017 06:55 AM
FYI @neil.martin83 did a great job documenting some of this!
Part 1 - Changing global settings with scep_set
Part 2 - Reading the logs
Part 3 - User-specific GUI preferences
Posted on 11-16-2018 09:08 AM
This is a great thread - thank you all for sharing the approaches and code to capture SCEP extension attributes/initiate scans/etc.! We were looking at moving to SCEP exclusively as well but were just made aware that System Center Endpoint Protection for macOS and Linux will be EOL by the end of the year (2018):
https://techcommunity.microsoft.com/t5/Configuration-Manager-Blog/End-of-Support-for-SCEP-for-Mac-and-SCEP-for-Linux-on-December/ba-p/286257
It looks like ESET may still be a possibility for macOS but the Linux version will be completely gone. I am wagering that much of the knowledge in this thread will also apply to ESET since SCEP is essentially the same product. We will see.
Just wanted to pass this along.
Thank you all again,
-Neil
Posted on 11-27-2018 04:12 PM
@nssabol have you tested to see if the cfg file works the same using ESET?
Posted on 11-28-2018 11:06 AM
Hey everyone,
I'm helping evaluate moving to ESET from SCEP for a year after the announcement. If anyone comes across helpful info, it would be appreciated! We just tested ESET on a fresh 10.14 install and there are a few prompts for profiles that look like they'll be added to the 10.9 release?
1st prompt: requests access to the entire disk, must be user/profile approved.
2nd prompt: New network connection detected (asks for profile)
Posted on 12-11-2018 09:13 PM
This article is awesome..
https://soundmacguy.wordpress.com/2017/09/18/managing-microsoft-system-center-endpoint-protection-scep-part-1/
https://soundmacguy.wordpress.com/2017/09/26/managing-microsoft-system-center-endpoint-protection-scep-part-2/
https://soundmacguy.wordpress.com/2017/11/19/managing-microsoft-system-center-endpoint-protection-scep-part-3/
I used this to configure all my settings... and I have had zero problems. Also do you have your Approve Kernel extensions profile configured in the JSS?
Posted on 12-12-2018 04:27 AM
According to the ESET forum, the FDA prompt will be correctly profile configurable (PPPC/TCC) in the next version, out ~January 2019.