- Jamf Nation Community
- Products
- Jamf Pro
- MS Defender Launch daemon
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
MS Defender Launch daemon
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-30-2023 08:36 PM
Hi,
I'm very much a novice when it comes to launch daemons and the instruction on this page have me flummoxed https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-schedule-scan?view=o3...
Under the sub heading "Load your file" it has <your file name.plist> I cannot find any reference to this "Your file name.plist"
Any assistance with this would be greatly appreciated.
Thanks
Matt
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2023 05:24 AM - edited 05-01-2023 05:25 AM
@mattedmonds You will use the contents shown under the "Schedule a quick scan" or "Schedule a full scan" sections to create the .plist file which tells MSDefender what type of scan to run. Once you've created it, you use that file name in the command that the "Load your file" section has you run.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-01-2023 06:00 PM
Hi sdagley I did try that but got this response
itsupport@Workhorse ~ % launchctl load -w /Library/LaunchDaemons/com.microsoft.wdav.schedfullscan.plist
Warning: Expecting a LaunchAgents path since the command was ran as user. Got LaunchDaemons instead.
`launchctl bootstrap` is a recommended alternative.
Load failed: 5: Input/output error
Try running `launchctl bootstrap` as root for richer errors.
So I tried running as SUDO and got this response
itsupport@Workhorse ~ % sudo launchctl load -w /Library/LaunchDaemons/com.microsoft.wdav.schedfullscan.plist
/Library/LaunchDaemons/com.microsoft.wdav.schedfullscan.plist: Invalid property list
Load failed: 109: Invalid property list
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2023 07:14 PM - edited 05-01-2023 07:15 PM
@mattedmonds When you created your .plist was the DOCTYPE line a single line like this (it's supposed to be one line but the forum software seems determined to wrap the text):
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
If not edit it so it's on one line as shown above because it's not supposed to be broken after the EN" like the MS article shows (or how it gets copied to the pasteboard if you click the Copy button).
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-01-2023 07:49 PM
@sdagley Thanks for that it worked. if I'm deploying these together as a package to target devices do I need to run the line "launchctl load -w /Library/LaunchDaemons/<your file name.plist>" under the "execute command" in Files and processes?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-01-2023 08:13 PM
@mattedmonds If you're creating a .pkg in Composer to deploy the .plist I'd recommend creating a postinstall script for that .pkg that runs these commands (note that I change the launchctl load to the newer launchctl bootstrap):
chown root:wheel /Library/LaunchDaemons/com.microsoft.wdav.sched*
chmod 644 /Library/LaunchDaemons/com.microsoft.wdav.sched*
xattr -c /Library/LaunchDaemons/com.microsoft.wdav.sched*
launchctl bootstrap system /Library/LaunchDaemons/com.microsoft.wdav.schedfullscan.plistThis way the .pkg will both install the .plist and run it.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-01-2023 09:02 PM
excellent! I was thinking that might be the way. Thank you for all your help
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-14-2023 04:56 PM
Glad i found this thread, thankyou for the "launchctl bootstrap system" change info. Helped me allot.
I also wanted to add to this thread, did you know that you can create a .plist file in a script instead of creating the .plist file and having to create a .pkg via composer then upload it to jamf ? Instead follow the script below to create the .plist file , put it where you want , change the attributes and then load it. (ours was setting a daily quick scan)
#!/bin/bash
cat << EOF > /Library/LaunchDaemons/com.microsoft.wdav.schedquickscan.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.microsoft.wdav.schedquickscan</string>
<key>ProgramArguments</key>
<array>
<string>sh</string>
<string>-c</string>
<string>/usr/local/bin/mdatp scan quick</string>
</array>
<key>StartCalendarInterval</key>
<dict>
<key>Hour</key>
<integer>12</integer>
<key>Minute</key>
<integer>00</integer>
</dict>
<key>WorkingDirectory</key>
<string>/usr/local/bin/</string>
</dict>
</plist>
EOF
chown root:wheel /Library/LaunchDaemons/com.microsoft.wdav.schedquickscan.plist
chmod 644 /Library/LaunchDaemons/com.microsoft.wdav.schedquickscan.plist
sudo xattr -c /Library/LaunchDaemons/com.microsoft.wdav.schedquickscan.plist
/bin/launchctl bootstrap system /Library/LaunchDaemons/com.microsoft.wdav.schedquickscan.plist
