Microsoft Defender

Musicmaker
New Contributor III

Hi folks,

I am testing Microsoft Defender on macOS.
For setting up the configuration profiles and policies I have been using this article:

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-jamfpro-policies?view=...
and
https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/microsoft-365/security/defender-endp...

Everything is working as expected. So now it's time to make some customizations.
In the Defender client I can see this in the section 'Exclusions:
Screenshot 2022-06-23 at 11.42.06.png

When setting up the configuration profile with the title 'MDATP MDAV configuration settings' I used the schema.json file from Defender's GitHub repository. 

Now I want to change the exclusions. Remove some from the example and add some new ones which are mentioned here: https://community.jamf.com/t5/jamf-pro/recommended-anti-virus-exclusions/m-p/42833

Can anyone explain how to accomplish this? Because in the json file I can't find the exclusions for PDF or /home . 

As mentioned before, I choosed to use the json file. I know that you can also use the legacy method by importing de com.microsoft.wdav.plist . In that way you can just edit the .plist file. Which, by the way, is still not as user friendly when adding/changing exclusions in EPO/McAfee. 

1 ACCEPTED SOLUTION

daniel_behan
Contributor II

The documentation here explains the options https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-exclusions?view=o365-w...

It's basically Path, Extension or Process Name.

When you use the json file, you'll add each individual option with corresponding drop-down menus.

Take note of when choosing Path, to enable or disable the box stating if the path leads to a file or a directory.

View solution in original post

4 REPLIES 4

daniel_behan
Contributor II

The documentation here explains the options https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-exclusions?view=o365-w...

It's basically Path, Extension or Process Name.

When you use the json file, you'll add each individual option with corresponding drop-down menus.

Take note of when choosing Path, to enable or disable the box stating if the path leads to a file or a directory.

Thanks for your reply.

I'm familiar with the documentation you've mentioned. But I was wondering if I needed to change some lines in the JSON schema. But now I've discovered that I had to add properties under "Preference Domain Properties".
I've added "Antivirus engine". Within that property I've added "Scan Exclusions".  There I can add the exclusions I want. This way of adding features when using the JSON file is not mentioned in the documentation from Microsoft for Jamf. Or…did I just not read the right documentation?

At this point I've created some exclusions and I noticed some weird behaviour. After creating some exclusions, saving the configuration profile and deploying it to a test-machine I can see the exclusions on my machine. Bu t when I add another exclusion or edit something else in the cp the weird thing is happening. After the change has been deployed to the machine the exclusions in the Endpoint client are back to default. Exactly like the screendump in my first post
When going into "Profiles" and opening that specific cp, I can see my changes, but the Defender client is not showing these exclusions. Only after a restart it will apply the new exclusions. Any thoughts? 

Unfortunately I can't edit my previous post. But I've found out why the default exclusions came back. During the setup with the MS documentation there was also a cp created with the .plist settings. In this plist were those default exclusions. I've removed that one and all is fine.

For now I have to find out how to disable the functionality to add exclusions by the user. At this point, my users should be able to add anything as an exclusion :-).

dpwlg
New Contributor III

Would we need to set up these profiles now since the jAMF catalog has defender available for distribution?