MS Defender Launch daemon

mattedmonds
New Contributor II

Hi,

I'm very much a novice when it comes to launch daemons and the instruction on this page have me flummoxed https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-schedule-scan?view=o3...

Under the sub heading "Load your file" it has <your file name.plist> I cannot find any reference to this "Your file name.plist" 

Any assistance with this would be greatly appreciated.

 

Thanks

Matt

7 REPLIES 7

sdagley
Esteemed Contributor II

@mattedmonds You will use the contents shown under the "Schedule a quick scan" or "Schedule a full scan" sections to create the .plist file which tells MSDefender what type of scan to run. Once you've created it, you use that file name in the command that the "Load your file" section has you run.

mattedmonds
New Contributor II

Hi sdagley I did try that but got this response 

itsupport@Workhorse ~ % launchctl load -w /Library/LaunchDaemons/com.microsoft.wdav.schedfullscan.plist
Warning: Expecting a LaunchAgents path since the command was ran as user. Got LaunchDaemons instead.
`launchctl bootstrap` is a recommended alternative.
Load failed: 5: Input/output error
Try running `launchctl bootstrap` as root for richer errors.

 

So I tried running as SUDO and got this response

itsupport@Workhorse ~ % sudo launchctl load -w /Library/LaunchDaemons/com.microsoft.wdav.schedfullscan.plist
/Library/LaunchDaemons/com.microsoft.wdav.schedfullscan.plist: Invalid property list
Load failed: 109: Invalid property list

sdagley
Esteemed Contributor II

@mattedmonds When you created your .plist was the DOCTYPE line a single line like this (it's supposed to be one line but the forum software seems determined to wrap the text):

 

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

 

If not edit it so it's on one line as shown above because it's not supposed to be broken after the EN" like the MS article shows (or how it gets copied to the pasteboard if you click the Copy button).

mattedmonds
New Contributor II

@sdagley Thanks for that it worked. if I'm deploying these together as a package to target devices do I need to run the line "launchctl load -w /Library/LaunchDaemons/<your file name.plist>" under the "execute command" in Files and processes? 

sdagley
Esteemed Contributor II

@mattedmonds If you're creating a .pkg in Composer to deploy the .plist I'd recommend creating a postinstall script for that .pkg that runs these commands (note that I change the launchctl load to the newer launchctl bootstrap): 

chown root:wheel /Library/LaunchDaemons/com.microsoft.wdav.sched*
chmod 644 /Library/LaunchDaemons/com.microsoft.wdav.sched*
xattr -c /Library/LaunchDaemons/com.microsoft.wdav.sched*     
launchctl bootstrap system /Library/LaunchDaemons/com.microsoft.wdav.schedfullscan.plist

This way the .pkg will both install the .plist and run it.

mattedmonds
New Contributor II

excellent! I was thinking that might be the way. Thank you for all your help

TheITGuy69
Contributor

Glad i found this thread, thankyou for the "launchctl bootstrap system" change info. Helped me allot. 

I also wanted to add to this thread, did you know that you can create a .plist file in a script instead of creating the .plist file and having to create a .pkg via composer then upload it to jamf ? Instead follow the script below to create the .plist file , put it where you want , change the attributes and then load it. (ours was setting a daily quick scan)

 

#!/bin/bash

cat << EOF > /Library/LaunchDaemons/com.microsoft.wdav.schedquickscan.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.microsoft.wdav.schedquickscan</string>
<key>ProgramArguments</key>
<array>
<string>sh</string>
<string>-c</string>
<string>/usr/local/bin/mdatp scan quick</string>
</array>
<key>StartCalendarInterval</key>
<dict>
<key>Hour</key>
<integer>12</integer>
<key>Minute</key>
<integer>00</integer>
</dict>
<key>WorkingDirectory</key>
<string>/usr/local/bin/</string>
</dict>
</plist>
EOF

 

chown root:wheel /Library/LaunchDaemons/com.microsoft.wdav.schedquickscan.plist
chmod 644 /Library/LaunchDaemons/com.microsoft.wdav.schedquickscan.plist
sudo xattr -c /Library/LaunchDaemons/com.microsoft.wdav.schedquickscan.plist
/bin/launchctl bootstrap system /Library/LaunchDaemons/com.microsoft.wdav.schedquickscan.plist