MS Defender's Real-Time protection is unrestricted

srysh_sinha
New Contributor

I have created a configuration profile using "Application and Custom Setting" Payload with Application domain as "com.microsoft.wdav" where I am enabling "Real-Time Protection" (attached screenshot). When I push this config profile, it enables the "Real-Time Protection" on device and make it restricted (attached screenshot) stating "This setting is managed by the organisation"
When I upgrade the macOS to 14.7, suddenly the real time protection setting becomes unrestricted. As far as I know, any application setting managed by JAMF is restrcted by default. Hence, I need you help to understand why the setting is reverted post OS upgrade? And, how can I ensure that real time protection is restricted for user to make the changes?

5 REPLIES 5

shyam9490
New Contributor II

Did the profiles are still installed on your machine post you upgraded to 14.7

yes, it is applied but the setting is unmanaged. User can disable real time protection manually. 
I have made new discoveries. If I clone the existing config profile and deploy a as a new profile, then "mdatp health" command shows "real_time_protection_enabled : true [managed]". If I unscope and re-add the device on the existing config policy, it shows unmanaged ("real_time_protection_enabled : true").
I have 2 config profile with same preferred domain "com.microsoft.wdav.plist" wherein I have enabled:
1. Defender configuration settings like - Tamper protection, Real time protection, Diagnostic data collection, Use Data Loss Prevention etc.
2. Device Control and Data Loss Prevention version 2.
Is this the reason it is causing some kind of conflict?

byrnese
New Contributor III

Jamf layers restrictions and settings, so it shouldn't be an issue with 2 config profiles unless you are pushing 2 versions of the same setting, but I'd recommend consolidating them.

 

We have 2 config profiles from testing. One with DLP only and one with all settings plus DLP. Since the settings are identical we don't see an issue, but the 2 payload deployment is limited to our team. We use a single company wide.

pete_c
Contributor III

If you have more than one profile with the same identifier (ie com.microsoft.wdav), only the first profile installed will take effect. Profiles are not cumulative.

Shyamsundar
Contributor

please check for any spaces in the plist file, any mismatch.