diff --git a/CloudAppSecurityDocs/discovery-docker-ubuntu-azure.md b/CloudAppSecurityDocs/discovery-docker-ubuntu-azure.md index e2fb25732d..7b6a1d8926 100644 --- a/CloudAppSecurityDocs/discovery-docker-ubuntu-azure.md +++ b/CloudAppSecurityDocs/discovery-docker-ubuntu-azure.md @@ -46,7 +46,7 @@ If you require more than 10 data sources, we recommend that you split the data s To work with a network appliance that isn't listed, select **Other > Customer log format** or **Other (manual only)**. For more information, see [Working with the custom log parser](custom-log-parser.md). >[!NOTE] - >Integrating with secure transfer protocols (FTPS and Syslog – TLS) often requires additional settings or your firewall/proxy. + >Integrating with secure transfer protocols (FTPS and Syslog – TLS) often requires additional settings on your firewall/proxy. For more information, see [Advanced log collector management](log-collector-advanced-management.md). Repeat this process for each firewall and proxy whose logs can be used to detect traffic on your network. diff --git a/CloudAppSecurityDocs/index.yml b/CloudAppSecurityDocs/index.yml index a817134dbc..e9cd62edb5 100644 --- a/CloudAppSecurityDocs/index.yml +++ b/CloudAppSecurityDocs/index.yml @@ -48,6 +48,8 @@ landingContent: links: - text: Basic setup url: general-setup.md + - text: Connect cloud apps + url: enable-instant-visibility-protection-and-governance-actions-for-your-apps.md - text: View and manage security posture url: security-saas.md - linkListType: concept @@ -70,8 +72,6 @@ landingContent: links: - text: Calculate risk scores url: risk-score.md - - text: Connect cloud apps - url: enable-instant-visibility-protection-and-governance-actions-for-your-apps.md - text: Collect logs url: discovery-docker.md - text: Discover and manage shadow IT @@ -137,4 +137,4 @@ landingContent: - text: Monitor and respond to unusual data usage url: app-governance-monitor-apps-unusual-data-usage.md - text: Secure apps with app hygiene - url: app-governance-secure-apps-app-hygiene-features.md \ No newline at end of file + url: app-governance-secure-apps-app-hygiene-features.md diff --git a/CloudAppSecurityDocs/log-collector-advanced-management.md b/CloudAppSecurityDocs/log-collector-advanced-management.md index 82269e8048..236ac0013a 100644 --- a/CloudAppSecurityDocs/log-collector-advanced-management.md +++ b/CloudAppSecurityDocs/log-collector-advanced-management.md @@ -50,9 +50,9 @@ You should be able to view the following contents: - `ssl_update` - `config.json` -### Customize certificate files +### Add certificate files -This procedure describes how to customize the certificate files used for secure connections to the cloud discovery Docker instance. +This procedure describes how to add the required certificate files used for secure connections to the cloud discovery Docker instance. 1. Open an FTP client and connect to the log collector host. @@ -63,7 +63,7 @@ This procedure describes how to customize the certificate files used for secure | **FTP** |- **pure-ftpd.pem**: Includes the key and certificate data | | **Syslog** |- **ca.pem**: The certificate authority's certificate that was used to sign the client’s certificate.
- **server-key.pem** and **server-cert.pem**: The log collector's certificate and key

Syslog messages are sent over TLS to the log collector, which requires mutual TLS authentication, including authenticating both the client and server certificates. | - Filenames are mandatory. If any of the files are missing, the update fails. +Files are mandatory. If any of the files for the receiver type are missing, the update fails. 1. In a terminal window, run: @@ -161,7 +161,7 @@ docker cp Proxy-CA.crt Ubuntu-LogCollector:/var/adallom/ftp/discovery To secure the docker image and ensure that only one IP address is allowed to send the syslog messages to the log collector, create an IP table rule on the host machine to allow input traffic and drop the traffic coming over specific ports, such as TCP/601 or UDP/514, depending on the deployment. -The following command shows an example of how to create an IP table rule that can be added to the host machine. This table rule allows the IP address `1.2.3.4`` to connect to the log collector container over TCP port 601, and drop all other connections coming from other IP addresses over the same port. +The following command shows an example of how to create an IP table rule that can be added to the host machine. This table rule allows the IP address `1.2.3.4` to connect to the log collector container over TCP port 601, and drop all other connections coming from other IP addresses over the same port. ```bash iptables -I DOCKER-USER \! --src 1.2.3.4 -m tcp -p tcp --dport 601 -j DROP @@ -171,7 +171,7 @@ iptables -I DOCKER-USER \! --src 1.2.3.4 -m tcp -p tcp --dport 601 -j DROP The container is now ready. -Run the **collector_config** command using the API token that you used during the creation of your log collector. For example: +Run the `collector_config` command using the API token that you used during the creation of your log collector. For example: :::image type="content" source="media/log-collector-advanced-tasks/docker-3.png" alt-text="Screenshot of the Create log collector dialog." border="false"::: @@ -520,7 +520,7 @@ Compare the output file (`/tmp/log.log`) to the messages stored in the `/var/ada When updating your log collector: - **Before installing the new version**, make sure to stop your log collector and remove the current image. -- **After installing the new version**, [update your certificate files](#customize-certificate-files). +- **After installing the new version**, [update your certificate files](#add-certificate-files). ## Next steps diff --git a/defender-endpoint/aggregated-reporting.md b/defender-endpoint/aggregated-reporting.md index e2e0ae2054..b9fa4b0ac2 100644 --- a/defender-endpoint/aggregated-reporting.md +++ b/defender-endpoint/aggregated-reporting.md @@ -61,9 +61,9 @@ Aggregated reporting supports the following event types: > [!div class="mx-tdBreakAll"] > |Action type|Advanced hunting table|Device timeline presentation|Properties| > |:---|:---|:-------|:-------------------------------| -> |FileCreatedAggregatedReport|DeviceFileEvents|{ProcessName} created {Occurrences} {FilePath} files|1. File path
2. Process name
3. Process name| ->|FileRenamedAggregatedReport|DeviceFileEvents|{ProcessName} renamed {Occurrences} {FilePath} files|1. File path
2. Process name
3. Process name| -> |FileModifiedAggregatedReport|DeviceFileEvents|{ProcessName} modified {Occurrences} {FilePath} files|1. File path
2. Process name
3. Process name| +> |FileCreatedAggregatedReport|DeviceFileEvents|{ProcessName} created {Occurrences} {FilePath} files|1. File path
2. File extension
3. Process name| +>|FileRenamedAggregatedReport|DeviceFileEvents|{ProcessName} renamed {Occurrences} {FilePath} files|1. File path
2. File extension
3. Process name| +> |FileModifiedAggregatedReport|DeviceFileEvents|{ProcessName} modified {Occurrences} {FilePath} files|1. File path
2. File extension
3. Process name| > |ProcessCreatedAggregatedReport|DeviceProcessEvents|{InitiatingProcessName} created {Occurrences} {ProcessName} processes|1. Initiating process command line
2. Initiating process SHA1
3. Initiating process file path
4. Process command line
5. Process SHA1
6. Folder path| > |ConnectionSuccessAggregatedReport|DeviceNetworkEvents|{InitiatingProcessName} established {Occurrences} connections with {RemoteIP}:{RemotePort}|1. Initiating process name
2. Source IP
3. Remote IP
4. Remote port| > |ConnectionFailedAggregatedReport|DeviceNetworkEvents|{InitiatingProcessName} failed to establish {Occurrences} connections with {RemoteIP:RemotePort}|1. Initiating process name
2. Source IP
3. Remote IP
4. Remote port| @@ -92,7 +92,7 @@ You can use the following KQL queries to gather specific information using aggre The following query highlights noisy process activity, which can be correlated with malicious signals. -```KQL +```Kusto DeviceProcessEvents | where Timestamp > ago(1h) | where ActionType == "ProcessCreatedAggregatedReport" @@ -105,7 +105,7 @@ DeviceProcessEvents The following query identifies repeated sign-in attempt failures. -```KQL +```Kusto DeviceLogonEvents | where Timestamp > ago(30d) | where ActionType == "LogonFailedAggregatedReport" @@ -119,7 +119,7 @@ DeviceLogonEvents The following query identifies suspicious RDP connections, which might indicate malicious activity. -```KQL +```Kusto DeviceNetworkEvents | where Timestamp > ago(1d) | where ActionType endswith "AggregatedReport" diff --git a/defender-endpoint/mac-device-control-faq.md b/defender-endpoint/mac-device-control-faq.md index 910648aad3..edf7e1c0ff 100644 --- a/defender-endpoint/mac-device-control-faq.md +++ b/defender-endpoint/mac-device-control-faq.md @@ -2,8 +2,9 @@ title: macOS Device control policies frequently asked questions (FAQ) description: Get answers to common questions about device control policies using JAMF or Intune. ms.service: defender-endpoint -author: YongRhee-MSFT -ms.author: yongrhee +author: emmwalshh +ms.author: ewalsh +ms.reviewer: joshbregman manager: deniseb ms.localizationpriority: medium audience: ITPro @@ -39,7 +40,7 @@ Answer: Run _mdatp device-control policy preferences list_ to see all the iOS po :::image type="content" source="media/macos-device-control-faq-enabled-default-enforcement.png" alt-text="Shows how to run mdatp device-control policy preferences list to see if a device is Device Control enabled. " lightbox="media/macos-device-control-faq-enabled-default-enforcement.png"::: -### How do I know whether the policy has been delivered to the client machine? +### How do I know if the policy is delivered to the client machine? Answer: Run _mdatp device-control policy rules list_ to see all the iOS policies on this machine: diff --git a/defender-endpoint/mac-device-control-intune.md b/defender-endpoint/mac-device-control-intune.md index 41104b88e7..6d87c43074 100644 --- a/defender-endpoint/mac-device-control-intune.md +++ b/defender-endpoint/mac-device-control-intune.md @@ -2,8 +2,9 @@ title: Deploy and manage Device Control using Intune description: Learn how to deploy and manage device control policies using Intune. ms.service: defender-endpoint -author: YongRhee-MSFT -ms.author: yongrhee +author: emmwalshh +ms.author: ewalsh +ms.reviewer: joshbregman manager: deniseb ms.localizationpriority: medium audience: ITPro @@ -44,7 +45,7 @@ Before you get started with Removable Storage Access Control, you must confirm y Now, you have `groups`, `rules`, and `settings`, replace the mobileconfig file with those values and put it under the Device Control node. Here's the demo file: [mdatp-devicecontrol/demo.mobileconfig at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/mobileconfig/demo.mobileconfig). Make sure validate your policy with the JSON schema and make sure your policy format is correct: [mdatp-devicecontrol/device_control_policy_schema.json at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json). > [!NOTE] -> See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules and groups. +> See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules, and groups. ### Deploy the mobileconfig file using Intune diff --git a/defender-endpoint/mac-device-control-jamf.md b/defender-endpoint/mac-device-control-jamf.md index 45fdb6f6ec..8c5aa2b27e 100644 --- a/defender-endpoint/mac-device-control-jamf.md +++ b/defender-endpoint/mac-device-control-jamf.md @@ -2,8 +2,9 @@ title: Deploy and manage device control using JAMF description: Learn how to use device control policies using JAMF. ms.service: defender-endpoint -author: YongRhee-MSFT -ms.author: yongrhee +author: emmwalshh +ms.author: ewalsh +ms.reviewer: joshbregman manager: deniseb ms.localizationpriority: medium audience: ITPro @@ -42,27 +43,27 @@ Before you get started with Removable Storage Access Control, you must confirm y ### Step 1: Create policy JSON -Now, you have 'groups' and 'rules' and 'settings', combine 'settings' and 'groups' and rules into one JSON, here is the demo file: [https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.json](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.json). Make sure to validate your policy with the JSON schema so your policy format is correct: [https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json). +Now, you have 'groups' and 'rules' and 'settings', combine 'settings' and 'groups' and rules into one JSON, here's the demo file: [https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.json](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.json). Make sure to validate your policy with the JSON schema so your policy format is correct: [https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json). -See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules and groups. +See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules, and groups. ### Step 2: Update MDE Preferences Schema -The [MDE Preferences schema](https://github.com/microsoft/mdatp-xplat/blob/master/macos/schema/schema.json) has been updated to include the new `deviceControl/policy` key. The existing MDE Preferences configuration profile should be updated to use the new schema file's content. +The [MDE Preferences schema](https://github.com/microsoft/mdatp-xplat/blob/master/macos/schema/schema.json) is updated to include the new `deviceControl/policy` key. The existing MDE Preferences configuration profile should be updated to use the new schema file's content. :::image type="content" source="media/macos-device-control-jamf-mde-preferences-schema.png" alt-text="Shows where to edit the Microsoft Defender for Endpoint Preferences Schema to update." lightbox="media/macos-device-control-jamf-mde-preferences-schema.png"::: ### Step 3: Add Device Control Policy to MDE Preferences -A new 'Device Control' property will now be available to add to the UX. +A new 'Device Control' property is now available to add to the UX. 1. Select the topmost **Add/Remove properties** button, then select **Device Control** and press **Apply**. :::image type="content" source="media/macos-device-control-jamf-device-control-property.png" alt-text="Shows how to add Device Control in Microsoft Defender for Endpoint" lightbox="media/macos-device-control-jamf-device-control-property.png"::: -2. Next, scroll down until you see the **Device Control** property (it will be the bottommost entry), and select **Add/Remove properties** directly underneath it. +2. Next, scroll down until you see the **Device Control** property (it's the bottommost entry), and select **Add/Remove properties** directly underneath it. -3. Select **Device Control Policy**, and then click **Apply**. +3. Select **Device Control Policy**, and then select **Apply**. :::image type="content" source="media/macos-device-control-jamf-device-control-add-remove-property.png" alt-text="Shows how to apply Device Control Policy in Microsoft Defender for Endpoint." lightbox="media/macos-device-control-jamf-device-control-add-remove-property.png"::: diff --git a/defender-endpoint/mac-device-control-manual.md b/defender-endpoint/mac-device-control-manual.md index f943626a0a..875e139d24 100644 --- a/defender-endpoint/mac-device-control-manual.md +++ b/defender-endpoint/mac-device-control-manual.md @@ -2,8 +2,9 @@ title: Deploy and manage device control manually description: Learn how to use device control policies manually. ms.service: defender-endpoint -author: YongRhee-MSFT -ms.author: yongrhee +author: emmwalshh +ms.author: ewalsh +ms.reviewer: joshbregman manager: deniseb ms.localizationpriority: medium audience: ITPro diff --git a/defender-endpoint/mac-device-control-overview.md b/defender-endpoint/mac-device-control-overview.md index b0b3645d89..b06388ed12 100644 --- a/defender-endpoint/mac-device-control-overview.md +++ b/defender-endpoint/mac-device-control-overview.md @@ -2,8 +2,9 @@ title: Device control for macOS description: Learn how to configure Microsoft Defender for Endpoint on Mac to reduce threats from removable storage such as USB devices. ms.service: defender-endpoint -author: YongRhee-MSFT -ms.author: yongrhee +author: emmwalshh +ms.author: ewalsh +ms.reviewer: joshbregman manager: deniseb ms.localizationpriority: medium audience: ITPro @@ -51,7 +52,7 @@ Microsoft Defender for Endpoint Device Control feature enables you to: - Microsoft Defender for Endpoint entitlement (can be trial) - Minimum OS version: macOS 11 or higher -- Deploy Full Disk Access: you may already have previously created and deployed this [https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) for other MDE features. You need to grant Full Disk Access permission for a new application: `com.microsoft.dlp.daemon`. +- Deploy Full Disk Access: you might have created and deployed this [https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) for other MDE features. You need to grant Full Disk Access permission for a new application: `com.microsoft.dlp.daemon`. - Enable Device Control on the MDE Preference setting: - Data Loss Prevention (DLP)/Features/ @@ -89,7 +90,7 @@ Example 2: [demo.mobileconfig](https://github.com/microsoft/mdatp-devicecontrol/ ## Understanding policies -Policies determine the behavior of device control for macOS. The policy is targeted via Intune or JAMF to a collection of machines or users. +Policies determine the behavior of device control for macOS. The policy is targeted via Intune or JAMF to a collection of machines or users. The Device Control for macOS policy includes settings, groups, and rules: @@ -111,9 +112,9 @@ The Device Control for macOS policy includes settings, groups, and rules: Device control for macOS has similar capabilities to Device control for Windows, but macOS and Windows provide different underlying capabilities to manage devices, so there are some important differences: -- macOS doesn't have a centralized Device Manager or view of devices. Access is granted/denied to applications that interact with devices. This is why on macOS there are a richer set of [access types](#access-types). For example on a ```portableDevice``` device control for macOS can deny or allow ```download_photos_from_device```. -- To stay consistent with Windows, there are ```generic_read```,```generic_write``` and ```generic_execute``` access types. Policies with generic access types don't need to be changed if/when additional specific access types are added in the future. The best practice is to use generic access types unless there's a specific need to deny/allow a more specific operation. -- Creating a ```deny``` policy using generic access types is the best way to attempt to completely block all operations for that type of device (e.g. Android phones), but there may still be gaps if the operation is performed using an application that isn't supported by macOS device control. +- macOS doesn't have a centralized Device Manager or view of devices. Access is granted/denied to applications that interact with devices. This is why on macOS there are a richer set of [access types](#access-types). For example of a ```portableDevice``` device control for macOS can deny or allow ```download_photos_from_device```. +- To stay consistent with Windows, there are ```generic_read```,```generic_write``` ,and ```generic_execute``` access types. Policies with generic access types don't need to be changed if/when more specific access types are added in the future. The best practice is to use generic access types unless there's a specific need to deny/allow a more specific operation. +- Creating a ```deny``` policy using generic access types is the best way to attempt to completely block all operations for that type of device (for example, Android phones), but there might still be gaps if the operation is performed using an application that isn't supported by macOS device control. ### Settings @@ -122,7 +123,7 @@ Here are the properties you can use when you create the groups, rules, and setti | Property name | Description | Options | |:---|:---|:---| -| features | Feature specific configurations | You can set `disable` to false or true for following features:
- `removableMedia`
- `appleDevice`
- `portableDevice`, including camera or PTP media
- `bluetoothDevice`

The default is `true`, so if you don't configure this value, it will not apply even if you create a custom policy for `removableMedia`, because it's disabled by default. | +| features | Feature specific configurations | You can set `disable` to false or true for following features:
- `removableMedia`
- `appleDevice`
- `portableDevice`, including camera or PTP media
- `bluetoothDevice`

The default is `true`, so if you don't configure this value, it won't apply even if you create a custom policy for `removableMedia`, because it's disabled by default. | | global | Set default enforcement | You can set `defaultEnforcement` to
- `allow` (_default_)
- `deny` | | ux | You can set a hyperlink on notification. | `navigationTarget: string`. Example: `"http://www.microsoft.com"` | @@ -167,8 +168,8 @@ Query type 2 is as follows: | clause $type | value | Description | |:---|:---|:---| | `primaryId` | One of:
- `apple_devices`
- `removable_media_devices`
- `portable_devices`
- `bluetooth_devices` | | -| `vendorId` | 4 digit hexadecimal string | Matches a device's vendor ID | -| `productId` | 4 digit hexadecimal string | Matches a device's product ID | +| `vendorId` | Four digit hexadecimal string | Matches a device's vendor ID | +| `productId` | Four digit hexadecimal string | Matches a device's product ID | | `serialNumber` | string | Matches a device's serial number. Doesn't match if the device doesn't have a serial number. | | `encryption` | apfs | Match if a device is apfs-encrypted. | | `groupId` | UUID string | Match if a device is a member of another group. The value represents the UUID of the group to match against.
The group must be defined within the policy prior to the clause. | @@ -179,8 +180,8 @@ Query type 2 is as follows: |:---|:---|:---| | `id` | GUID, a unique ID, represents the rule and will be used in the policy. | New-Guid (Microsoft.PowerShell.Utility) - PowerShell
uuidgen | | `name` | String, the name of the policy and will display on the toast based on the policy setting. | | -| `includeGroups` | The group(s) that the policy will be applied to. If multiple groups are specified, the policy applies to any media in all those groups. If not specified, the rule applies to all devices. | The **id** value inside the group must be used in this instance. If multiple groups are in the `includeGroups`, it's _AND_.
`"includeGroups": ["3f082cd3-f701-4c21-9a6a-ed115c28e217"]` | -| `excludeGroups` | The group(s) that the policy doesn't apply to. | The **id** value inside the group must be used in this instance. If multiple groups are in the excludeGroups, it's _OR_. | +| `includeGroups` | The groups that the policy will be applied to. If multiple groups are specified, the policy applies to any media in all those groups. If not specified, the rule applies to all devices. | The **id** value inside the group must be used in this instance. If multiple groups are in the `includeGroups`, it's _AND_.
`"includeGroups": ["3f082cd3-f701-4c21-9a6a-ed115c28e217"]` | +| `excludeGroups` | The groups that the policy doesn't apply to. | The **id** value inside the group must be used in this instance. If multiple groups are in the excludeGroups, it's _OR_. | | `entries` | One rule can have multiple entries; each entry with a unique GUID tells Device Control one restriction.| See entry properties table later in this article to get the details. | The following table lists the properties you can use in your entry: @@ -189,7 +190,7 @@ The following table lists the properties you can use in your entry: |:---|:---|:---| | `$type` | | Includes:
- `removableMedia`
- `appleDevice`
- `PortableDevice`
- `bluetoothDevice`
- `generic` | | enforcement | | - `$type`:
- `allow`
- `deny`
- `auditAllow`
- `auditDeny`

**When $type allow is selected, options value supports:**
- `disable_audit_allow`
Even if **Allow** happens and the **auditAllow** is setting configured, the system won't send event.

**When $type deny is selected, options value supports:**
`disable_audit_deny`
Even if **Block** happens and the **auditDeny** is setting configured, the system won't show notification or send event.

**When $type auditAllow is selected, options value supports:**
`send_event`

**When $type auditDeny is selected, options value supports:**
`send_event`
`show_notification` | -| `access`| |Specify one or more access rights for this rule. These may include either device specific granular permissions, or broader generic permissions. See table below for more details on the valid access types for a given entry $type. | +| `access`| |Specify one or more access rights for this rule. These might include either device specific granular permissions, or broader generic permissions. See table below for more details on the valid access types for a given entry $type. | | `id`| UUID| | The following table lists the properties you can use in entry: @@ -220,7 +221,7 @@ The following table lists the properties you can use in entry: | **appleDevice** | backup_device | generic_read | | | appleDevice | update_device | generic_write | | | appleDevice | download_photos_from_device | generic_read | download photo from the specific iOS device to local machine | -| appleDevice | download_files_from_device | generic_read | download file(s) from the specific iOS device to local machine | +| appleDevice | download_files_from_device | generic_read | download files from the specific iOS device to local machine | | appleDevice | sync_content_to_device | generic_write | sync content from local machine to specific iOS device | | **portableDevice**| download_files_from_device | generic_read | | | portableDevice | send_files_to_device | generic_write | | @@ -258,7 +259,7 @@ v2_full_disk_access : "approved" - `active` - feature version, you should see ["v2"]. (Device Control is enabled, but not configured.) - [] - Device Control isn't configured on this machine. - ["v1"] - You are on a preview version of Device Control. Migrate to version 2 using this guide. v1 is considered obsolete and not described in this documentation. - - ["v1","v2"] - You have both v1 and v2 enabled. Offboard from v1. + - ["v1,""v2"] - You have both v1 and v2 enabled. Offboard from v1. - `v1_configured` - v1 configuration is applied - `v1_enforcement_level` - when v1 is enabled - `v2_configured` - v2 configuration is applied @@ -268,7 +269,7 @@ v2_full_disk_access : "approved" ## Reporting -You are able to see the policy event on Advanced hunting and Device Control report. For more information, see [Protect your organization's data with Device Control](device-control-report.md). +You're able to see the policy event on Advanced hunting and Device Control report. For more information, see [Protect your organization's data with Device Control](device-control-report.md). ## Scenarios @@ -472,10 +473,10 @@ In this case, only have one access rule policy, but if you have multiple, make s ## Known Issues > [!WARNING] -> Device Control on macOS restricts Android devices that are connected using PTP mode **only**. Device control does not restrict other modes such as File Transfer, USB Tethering and MIDI. +> Device Control on macOS restricts Android devices that are connected using PTP mode **only**. Device control doesn't restrict other modes such as File Transfer, USB Tethering, and MIDI. > [!WARNING] -> Device Control on macOS does not prevent software developed on XCode from being transferred to an external device. +> Device Control on macOS doesn't prevent software developed on XCode from being transferred to an external device. diff --git a/defender-endpoint/mac-exclusions.md b/defender-endpoint/mac-exclusions.md index 0b9d371d34..7a2acf133b 100644 --- a/defender-endpoint/mac-exclusions.md +++ b/defender-endpoint/mac-exclusions.md @@ -2,8 +2,9 @@ title: Configure and validate exclusions for Microsoft Defender for Endpoint on Mac description: Provide and validate exclusions for Microsoft Defender for Endpoint on Mac. Exclusions can be set for files, folders, and processes. ms.service: defender-endpoint -author: YongRhee-MSFT -ms.author: yongrhee +author: emmwalshh +ms.author: ewalsh +ms.reviewer: joshbregman manager: deniseb ms.localizationpriority: medium audience: ITPro @@ -40,7 +41,7 @@ Exclusions can be useful to avoid incorrect detections on files or software that To narrow down which process and/or path and/or extension you need to exclude, use [real-time-protection-statistics](mac-support-perf.md). > [!WARNING] -> Defining exclusions lowers the protection offered by Defender for Endpoint on Mac. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious. +> Defining exclusions lowers the protection offered by Defender for Endpoint on Mac. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you're confident aren't malicious. ## Supported exclusion types @@ -61,9 +62,9 @@ File, folder, and process exclusions support the following wildcards: |?|Matches any single character|`file?.log` includes `file1.log` and `file2.log`, but not `file123.log`| > [!NOTE] -> When using the * wildcard at the end of the path, it will match all files and subdirectories under the parent of the wildcard. +> Using the * wildcard at the end of the path, it matches all files and subdirectories under the parent of the wildcard. > -> The product attempts to resolve firmlinks when evaluating exclusions. Firmlink resolution does not work when the exclusion contains wildcards or the target file (on the `Data` volume) does not exist. +> The product attempts to resolve firm links when evaluating exclusions. Firm link resolution doesn't work when the exclusion contains wildcards or the target file (on the `Data` volume) doesn't exist. ## Best practices for adding antimalware exclusions for Microsoft Defender for Endpoint on macOS. @@ -73,7 +74,7 @@ File, folder, and process exclusions support the following wildcards: *except for apps that the ISV stated that there's no other tweaking that could be done to prevent the false positive or higher cpu utilization from occurring. -1. Avoid migrating non-Microsoft antimalware exclusions since they may no longer be applicable nor applicable to Microsoft Defender for Endpoint on macOS. +1. Avoid migrating non-Microsoft antimalware exclusions since they might no longer be applicable nor applicable to Microsoft Defender for Endpoint on macOS. 1. Order of exclusions to consider top (more secure) to bottom (least secure): diff --git a/defender-endpoint/mac-install-jamfpro-login.md b/defender-endpoint/mac-install-jamfpro-login.md index 33f274d72d..859515bdbe 100644 --- a/defender-endpoint/mac-install-jamfpro-login.md +++ b/defender-endpoint/mac-install-jamfpro-login.md @@ -2,8 +2,9 @@ title: Sign in to Jamf Pro description: Sign in to Jamf Pro. ms.service: defender-endpoint -author: YongRhee-MSFT -ms.author: yongrhee +author: emmwalshh +ms.author: ewalsh +ms.reviewer: joshbregman manager: deniseb ms.localizationpriority: medium audience: ITPro diff --git a/defender-endpoint/mac-install-manually.md b/defender-endpoint/mac-install-manually.md index 8afc82d63c..b74c3abe60 100644 --- a/defender-endpoint/mac-install-manually.md +++ b/defender-endpoint/mac-install-manually.md @@ -2,8 +2,9 @@ title: Manual deployment for Microsoft Defender for Endpoint on macOS description: Install Microsoft Defender for Endpoint on macOS manually, from the command line. ms.service: defender-endpoint -author: YongRhee-MSFT -ms.author: yongrhee +author: emmwalshh +ms.author: ewalsh +ms.reviewer: joshbregman manager: deniseb ms.localizationpriority: medium audience: ITPro @@ -98,13 +99,13 @@ To complete this process, you must have admin privileges on the device. :::image type="content" source="media/installation-type.png" alt-text="Screenshot that shows the final installation step."::: -7. Click **Install**. +7. Select **Install**. 8. Enter the password, when prompted. :::image type="content" source="media/password-2g.png" alt-text="Screenshot that shows the password dialog box."::: -9. Click **Install Software**. +9. Select **Install Software**. 10. At the end of the installation process, for macOS Big Sur (11.0) or latest version, you're prompted to approve the system extensions used by the product. Select **Open Security Preferences**. @@ -131,37 +132,37 @@ To complete this process, you must have admin privileges on the device. The macOS Catalina (10.15) and newer versions require full disk access to be granted to **Microsoft Defender for Endpoint** in order to be able to protect and monitor. > [!NOTE] -> Full disk access grant to **Microsoft Defender for Endpoint** is a new requirement for all the third-party software by Apple for files and folders containing personal data. +> Full disk access grant to **Microsoft Defender for Endpoint** is a new requirement for non-Microsoft software by Apple for files and folders containing personal data. To grant full disk access: -1. Open **System Preferences** \> **Security & Privacy** \> **Privacy** \> **Full Disk Access**. Click the lock icon to make changes (bottom of the dialog box). +1. Open **System Preferences** \> **Security & Privacy** \> **Privacy** \> **Full Disk Access**. Select the lock icon to make changes (bottom of the dialog box). -1. Grant **Full Disk Access** permission to **Microsoft Defender** and **Microsoft Defenders Endpoint Security Extension**. +2. Grant **Full Disk Access** permission to **Microsoft Defender** and **Microsoft Defenders Endpoint Security Extension**. :::image type="content" source="media/full-disk-access-security-privacy.png" alt-text="The screenshot shows the full disk access's security and privacy."::: -1. Select **General** \> **Restart** for the new system extensions to take effect. +3. Select **General** \> **Restart** for the new system extensions to take effect. :::image type="content" source="media/restart-fulldisk.png" alt-text="Screenshot that allows you to restart the system for new system extensions to be enabled."::: -1. Enable *Potentially Unwanted Application* (PUA) in block mode. +4. Enable *Potentially Unwanted Application* (PUA) in block mode. To enable PUA, refer [configure PUA protection](mac-pua.md). -1. Enable *Network Protection*. +5. Enable *Network Protection*. To enable *Network protection*, refer [manual deployment](network-protection-macos.md). -1. Enable *Device Control*. +6. Enable *Device Control*. To enable *Device Control*, refer [device control for macOS](mac-device-control-overview.md). -1. Enable *Tamper Protection* in block mode. +7. Enable *Tamper Protection* in block mode. - To enable *Tamper Protection*, refer [Protect MacOS security settings with tamper protection](tamperprotection-macos.md). + To enable *Tamper Protection*, refer [Protect macOS security settings with tamper protection](tamperprotection-macos.md). -1. If you have the *Microsoft Purview – Endpoint data loss prevention license*, you can review [Get started with Microsoft Purview - Endpoint data loss prevention](/purview/endpoint-dlp-getting-started). +8. If you have the *Microsoft Purview – Endpoint data loss prevention license*, you can review [Get started with Microsoft Purview - Endpoint data loss prevention](/purview/endpoint-dlp-getting-started). ## Background execution @@ -170,17 +171,17 @@ macOS will pop a prompt up, telling the user that Microsoft Defender can run in :::image type="content" source="media/background-items-notification.png" alt-text="Screenshot that shows background items notification"::: -You can view applications permitted to run in background in System Settings => Login Items => Allow in the Background at any time: +You can view applications permitted to run in background in System Settings => sign in Items => Allow in the Background at any time: :::image type="content" source="media/background-items.png" alt-text="Screenshot that shows background items"::: -Make sure all Microsoft Defender and Microsoft Corporation items are enabled. If they are disabled then macOS will not start Microsoft Defender after a machine restart. +Make sure all Microsoft Defender and Microsoft Corporation items are enabled. If they are disabled, then macOS won't start Microsoft Defender after a machine restart. ## Bluetooth permissions Starting with macOS 14, a user must explicitly allow an application to access Bluetooth. macOS will pop a prompt up, telling the user that Microsoft Defender can access Bluetooth (applies only if you use Bluetooth based policies for Device Control). -Click Allow to grant Microsoft Defender to access Bluetooth. +Select Allow to grant Microsoft Defender to access Bluetooth. :::image type="content" source="media/macos-defender-bluetooth.png" alt-text="Screenshot that shows Bluetooth access request"::: @@ -190,11 +191,11 @@ You can confirm that permissions are granted in System Settings => Privacy Setti ## Onboarding Package -Once you have installed the MDE on macOS client, you must now onboard the package, which registers to your Microsoft Defender for Endpoint tenant and licenses it. +Once you install the MDE on macOS client, you must now onboard the package, which registers to your Microsoft Defender for Endpoint tenant and licenses it. -1. Verify if MDE on macOS has already been onboarded. +1. Verify if MDE on macOS is onboard. - Copy *wdav.pkg* and *MicrosoftDefenderATPOnboardingMacOs.sh* to the device where you have deployed Microsoft Defender for Endpoint on macOS. + Copy *wdav.pkg* and *MicrosoftDefenderATPOnboardingMacOs.sh* to the device where you deployed Microsoft Defender for Endpoint on macOS. The client device isn't associated with *org_id*. The *org_id* attribute is blank. @@ -256,7 +257,7 @@ See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove M > [!TIP] > > - Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: [Microsoft Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP). -> - If you have any feedback that you will like to share, submit it by opening Microsoft Defender Endpoint on Mac on your device and navigate to **Help** \> **Send feedback**. +> - If you have any feedback that you'll like to share, submit it by opening Microsoft Defender Endpoint on Mac on your device and navigate to **Help** \> **Send feedback**. ## Recommended content diff --git a/defender-endpoint/mac-install-with-intune.md b/defender-endpoint/mac-install-with-intune.md index b88efb1ee0..4f566bc46f 100644 --- a/defender-endpoint/mac-install-with-intune.md +++ b/defender-endpoint/mac-install-with-intune.md @@ -2,10 +2,10 @@ title: Intune-based deployment for Microsoft Defender for Endpoint on Mac description: Install Microsoft Defender for Endpoint on Mac, using Microsoft Intune. ms.service: defender-endpoint -author: denisebmsft -ms.author: deniseb +author: emmwalshh +ms.author: ewalsh manager: deniseb -ms.reviewer: yongrhee +ms.reviewer: joshbregman ms.localizationpriority: medium audience: ITPro ms.collection: @@ -104,7 +104,7 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender Download [netfilter.mobileconfig](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig) from [GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles). > [!IMPORTANT] -> Only one `.mobileconfig` (plist) for Network Filter is supported. Adding multiple Network Filters leads to network connectivity issues on Mac. This issue is not specific to Defender for Endpoint on macOS. +> Only one `.mobileconfig` (plist) for Network Filter is supported. Adding multiple Network Filters leads to network connectivity issues on Mac. This issue isn't specific to Defender for Endpoint on macOS. To configure your network filter: @@ -133,7 +133,7 @@ To configure your network filter: ### Step 3: Full Disk Access > [!NOTE] -> Starting with macOS Catalina (10.15) or newer, in order to provide privacy for the end-users, it created the **FDA** (Full Disk Access). Enabling **TCC** (Transparency, Consent & Control) through a Mobile Device Management solution such as [Intune](mac-install-with-intune.md), will eliminate the risk of Defender for Endpoint losing **Full Disk Access** Authorization to function properly. +> With macOS Catalina (10.15) or newer, in order to provide privacy for the end-users, it created the **FDA** (Full Disk Access). Enabling **TCC** (Transparency, Consent & Control) through a Mobile Device Management solution such as [Intune](mac-install-with-intune.md), eliminates the risk of Defender for Endpoint losing **Full Disk Access** Authorization to function properly. > > This configuration profile grants Full Disk Access to Microsoft Defender for Endpoint. If you previously configured Microsoft Defender for Endpoint through Intune, we recommend you update the deployment with this configuration profile. @@ -143,31 +143,31 @@ To configure Full Disk Access: 1. In the Intune admin center, under **Configuration profiles**, select **Create Profile**. -1. Under **Platform**, select **macOS**. +2. Under **Platform**, select **macOS**. -1. Under **Profile type**, select **Templates**. +3. Under **Profile type**, select **Templates**. -1. Under **Template name**, select **Custom**, and then select **Create**. +4. Under **Template name**, select **Custom**, and then select **Create**. -1. On the **Basics** tab, **Name** the profile. For example, `FullDiskAccess-prod-macOS-Default-MDE`. Then select **Next**. +5. On the **Basics** tab, **Name** the profile. For example, `FullDiskAccess-prod-macOS-Default-MDE`. Then select **Next**. -1. On the **Configuration settings** tab, enter a **Custom configuration profile** name. For example, `FullDiskAccess-prod-macOS-Default-MDE`. +6. On the **Configuration settings** tab, enter a **Custom configuration profile** name. For example, `FullDiskAccess-prod-macOS-Default-MDE`. -1. Choose a **Deployment channel** and then select **Next**. +7. Choose a **Deployment channel** and then select **Next**. -1. Select a **Configuration profile file**. +8. Select a **Configuration profile file**. -1. On the **Assignments** tab, assign the profile to a group where the macOS devices and/or users are located, or **All Users** and **All devices**. +9. On the **Assignments** tab, assign the profile to a group where the macOS devices and/or users are located, or **All Users** and **All devices**. -1. Review the configuration profile. Select **Create**. +10. Review the configuration profile. Select **Create**. > [!NOTE] -> Full Disk Access granted through Apple MDM Configuration Profile is not reflected in **System Settings > Privacy & Security > Full Disk Access**. +> Full Disk Access granted through Apple MDM Configuration Profile isn't reflected in **System Settings > Privacy & Security > Full Disk Access**. ### Step 4: Background services > [!CAUTION] -> macOS 13 (Ventura) contains new privacy enhancements. Beginning with this version, by default, applications cannot run in background without explicit consent. Microsoft Defender for Endpoint must run its daemon process in background. This configuration profile grants Background Service permissions to Microsoft Defender for Endpoint. If you previously configured Microsoft Defender for Endpoint through Microsoft Intune, we recommend you update the deployment with this configuration profile. +> macOS 13 (Ventura) contains new privacy enhancements. Beginning with this version, by default, applications can't run in background without explicit consent. Microsoft Defender for Endpoint must run its daemon process in background. This configuration profile grants Background Service permission to Microsoft Defender for Endpoint. If you previously configured Microsoft Defender for Endpoint through Microsoft Intune, we recommend you update the deployment with this configuration profile. Download [background_services.mobileconfig](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/background_services.mobileconfig) from [GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles). @@ -260,12 +260,12 @@ Download [accessibility.mobileconfig](https://raw.githubusercontent.com/microsof ### Step 7: Bluetooth permissions > [!CAUTION] -> macOS 14 (Sonoma) contains new privacy enhancements. Beginning with this version, by default, applications cannot access Bluetooth without explicit consent. Microsoft Defender for Endpoint uses it if you configure Bluetooth policies for Device Control. +> macOS 14 (Sonoma) contains new privacy enhancements. Beginning with this version, by default, applications can't access Bluetooth without explicit consent. Microsoft Defender for Endpoint uses it if you configure Bluetooth policies for Device Control. Download [bluetooth.mobileconfig](https://raw.githubusercontent.com/microsoft/mdatp-xplat/refs/heads/master/macos/mobileconfig/profiles/bluetooth.mobileconfig) from [GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles) and use the same workflow as in [Step 6: Accessibility settings](#step-6-accessibility-settings) to enable Bluetooth access. > [!NOTE] -> Bluetooth granted through Apple MDM Configuration Profile is not reflected in System Settings => Privacy & Security => Bluetooth. +> Bluetooth granted through Apple MDM Configuration Profile isn't reflected in System Settings => Privacy & Security => Bluetooth. ### Step 8: Microsoft AutoUpdate @@ -280,29 +280,29 @@ For more information, see [Deploy updates for Microsoft Defender for Endpoint on Download [com.microsoft.autoupdate2.mobileconfig](https://raw.githubusercontent.com/microsoft/mdatp-xplat/refs/heads/master/macos/settings/microsoft_auto_update/com.microsoft.autoupdate2.mobileconfig) from [GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles). > [!NOTE] -> The sample `com.microsoft.autoupdate2.mobileconfig` from the GitHub repository has it set to Current Channel (Production). +> The sample `com.microsoft.autoupdate2.mobileconfig` from the GitHub repository is set to Current Channel (Production). 1. Under **Configuration profiles**, select **Create Profile**. -1. Under **Platform**, select **macOS**. +2. Under **Platform**, select **macOS**. -1. Under **Profile type**, select **Templates**. +3. Under **Profile type**, select **Templates**. -1. Under **Template name**, select **Custom**. +4. Under **Template name**, select **Custom**. -1. Select **Create**. +5. Select **Create**. -1. On the **Basics** tab, **Name** the profile. For example, `Autoupdate-prod-macOS-Default-MDE`. Then select **Next**. +6. On the **Basics** tab, **Name** the profile. For example, `Autoupdate-prod-macOS-Default-MDE`. Then select **Next**. -1. On the **Configuration settings** tab, enter a **Custom configuration profile** name. For example, `com.microsoft.autoupdate2.mobileconfig`. +7. On the **Configuration settings** tab, enter a **Custom configuration profile** name. For example, `com.microsoft.autoupdate2.mobileconfig`. -1. Choose a **Deployment channel** and select **Next**. +8. Choose a **Deployment channel** and select **Next**. -1. Select a **Configuration profile file**. +9. Select a **Configuration profile file**. -1. On the **Assignments** tab, assign the profile to a group where the macOS devices and/or users are located, or **All Users** and **All devices**. +10. On the **Assignments** tab, assign the profile to a group where the macOS devices and/or users are located, or **All Users** and **All devices**. -1. Review the configuration profile. Select **Create**. +11. Review the configuration profile. Select **Create**. ### Step 9: Microsoft Defender for Endpoint configuration settings @@ -391,7 +391,7 @@ A standard [Company Portal installation](/mem/intune/user-help/enroll-your-devic 1. Confirm device management. - :::image type="content" source="../defender-endpoint/media/mdatp-3-confirmdevicemgmt.png" alt-text="Screenshot that shows the Confirm device management page." lightbox="../defender-endpoint/media/mdatp-3-confirmdevicemgmt.png"::: + :::image type="content" source="../defender-endpoint/media/mdatp-3-confirmdevicemgmt.png" alt-text="Screenshot that shows the Confirmed device management page." lightbox="../defender-endpoint/media/mdatp-3-confirmdevicemgmt.png"::: Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**: @@ -399,7 +399,7 @@ A standard [Company Portal installation](/mem/intune/user-help/enroll-your-devic 2. Select **Continue** and complete the enrollment. - You may now enroll more devices. You can also enroll them later, after finishing the provisioning system configuration and application packages. + You might now enroll more devices. You can also enroll them later, after finishing the provisioning system configuration and application packages. 3. In Intune, open **Manage** \> **Devices** \> **All devices**. Here you can see your device among the listed: @@ -496,7 +496,7 @@ To deploy the onboarding package: 1. Select **Create**. - :::image type="content" source="../defender-endpoint/media/mdatp-6-systemconfigurationprofiles-1.png" alt-text="Screenshot that shows the deploy onboarding package." lightbox="../defender-endpoint/media/mdatp-6-systemconfigurationprofiles-1.png"::: + :::image type="content" source="../defender-endpoint/media/mdatp-6-systemconfigurationprofiles-1.png" alt-text="Screenshot that shows the deployed onboarding package." lightbox="../defender-endpoint/media/mdatp-6-systemconfigurationprofiles-1.png"::: 1. On the **Basics** tab, **Name** the profile. For example, `Onboarding-prod-macOS-Default-MDE`. Select **Next**. diff --git a/defender-endpoint/mac-install-with-jamf.md b/defender-endpoint/mac-install-with-jamf.md index 93b8c0901e..4866cb8119 100644 --- a/defender-endpoint/mac-install-with-jamf.md +++ b/defender-endpoint/mac-install-with-jamf.md @@ -2,8 +2,9 @@ title: Deploying Microsoft Defender for Endpoint on macOS with Jamf Pro description: Deploying Microsoft Defender for Endpoint on macOS with Jamf Pro ms.service: defender-endpoint -author: YongRhee-MSFT -ms.author: yongrhee +author: emmwalshh +ms.author: ewalsh +ms.reviewer: joshbregman manager: deniseb ms.localizationpriority: medium audience: ITPro @@ -33,9 +34,9 @@ Learn how to deploy Microsoft Defender for Endpoint on macOS with Jamf Pro. [!INCLUDE [Microsoft Defender for Endpoint third-party tool support](../includes/support.md)] -This is a multi-step process. You'll need to complete all of the following steps: +This is a multi-step process. You need to complete all of the following steps: -- [Login to the Jamf Portal](mac-install-jamfpro-login.md) +- [Sign in to the Jamf Portal](mac-install-jamfpro-login.md) - [Setup the Microsoft Defender for Endpoint on macOS device groups in Jamf Pro](mac-jamfpro-device-groups.md) - [Setup the Microsoft Defender for Endpoint on macOS policies in Jamf Pro](mac-jamfpro-policies.md) - [Enroll the Microsoft Defender for Endpoint on macOS devices into Jamf Pro](mac-jamfpro-enroll-devices.md) diff --git a/defender-endpoint/mac-install-with-other-mdm.md b/defender-endpoint/mac-install-with-other-mdm.md index f69e278d12..14fcbd6834 100644 --- a/defender-endpoint/mac-install-with-other-mdm.md +++ b/defender-endpoint/mac-install-with-other-mdm.md @@ -2,9 +2,9 @@ title: Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender for Endpoint on Mac description: Install Microsoft Defender for Endpoint on Mac on other management solutions. ms.service: defender-endpoint -ms.reviewer: mavel -author: YongRhee-MSFT -ms.author: yongrhee +ms.reviewer: joshbregman +author: emmwalshh +ms.author: ewalsh manager: deniseb ms.localizationpriority: medium audience: ITPro @@ -38,7 +38,7 @@ Before you get started, see [the main Microsoft Defender for Endpoint on macOS p ## Approach > [!CAUTION] -> Currently, Microsoft officially supports only Intune and JAMF for the deployment and management of Microsoft Defender for Endpoint on macOS. Microsoft makes no warranties, express or implied, with respect to the information provided below. +> Currently, Microsoft officially supports only Intune and JAMF for the deployment and management of Microsoft Defender for Endpoint on macOS. Microsoft makes no warranties, express or implied, with respect to the information provided. If your organization uses a Mobile Device Management (MDM) solution that isn't officially supported, this doesn't mean you're unable to deploy or run Microsoft Defender for Endpoint on macOS. @@ -48,12 +48,12 @@ Microsoft Defender for Endpoint on macOS doesn't depend on any vendor-specific f - Deploy macOS system configuration profiles to managed devices. - Run an arbitrary admin-configured tool/script on managed devices. -Most modern MDM solutions include these features, however, they may call them differently. +Most modern MDM solutions include these features, however, they might call them differently. You can deploy Defender for Endpoint without the last requirement from the preceding list, however: -- You won't be able to collect status in a centralized way. -- If you decide to uninstall Defender for Endpoint, you'll need to log on to the client device locally as an administrator. +- You might not be able to collect status in a centralized way. +- If you decide to uninstall Defender for Endpoint, you need to sign in the client device locally as an administrator. ## Deployment @@ -74,18 +74,18 @@ In order to deploy the package to your enterprise, use the instructions associat Set up [a system configuration profile](mac-install-with-jamf.md). -Your MDM solution may call it something like "Custom Settings Profile", as Microsoft Defender for Endpoint on macOS isn't part of macOS. +Your MDM solution might call it something like "Custom Settings Profile," as Microsoft Defender for Endpoint on macOS isn't part of macOS. Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be extracted from an onboarding package downloaded from [Microsoft Defender portal](mac-install-with-jamf.md). -Your system may support an arbitrary property list in XML format. You can upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case. -Alternatively, it may require you to convert the property list to a different format first. +Your system might support an arbitrary property list in XML format. You can upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case. +Alternatively, it might require you to convert the property list to a different format first. Typically, your custom profile has an ID, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp" for this value. MDM uses it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client device, and Defender for Endpoint uses this file for loading the onboarding information. ### System configuration profiles -macOS requires that a user manually and explicitly approves certain functions that an application uses, for example system extensions, running in background, sending notifications, full disk access etc. Microsoft Defender for Endpoint relies on these functions, and can't properly function until all these consents are received from a user. +macOS requires that a user manually and explicitly approves certain functions that an application uses, for example system extensions, running in background, sending notifications, full disk access, etc. Microsoft Defender for Endpoint relies on these functions, and can't properly function until all these consents are received from a user. To grant consent automatically on a user's behalf, an administrator pushes system policies through their MDM system. This is what we strongly recommend doing, instead of relying on manual approvals from end users. @@ -99,8 +99,8 @@ To set up profiles: 2) For all profiles from [https://github.com/microsoft/mdatp-xplat](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles), download a mobileconfig file and import it. 3) Assign proper scope for each created configuration profile. -Note that Apple regularly creates new types of payloads with new versions of an OS. -You'll need to visit the above mentioned page, and publish new profiles once they became available. +Apple regularly creates new types of payloads with new versions of an OS. +You need to visit the above mentioned page, and publish new profiles once they became available. We post notifications to our [What's New page](mac-whatsnew.md) once we make changes like that. ### Defender for Endpoint configuration settings @@ -118,7 +118,7 @@ If you don't see it, then refer to your MDM documentation for troubleshooting ti Microsoft Defender for Endpoint reads `/Library/Managed Preferences/com.microsoft.wdav.plist` and `/Library/Managed Preferences/com.microsoft.wdav.ext.plist` files. It uses only those two files for managed settings. -If you can't see those files, but you verified that the profiles were delivered (see the previous section), then it means that your profiles are misconfigured. Either you made this configuration profile "User Level" instead of "Computer Level", or you used a different Preference Domain instead of those that Microsoft Defender for Endpoint expects ("com.microsoft.wdav" and "com.microsoft.wdav.ext"). +If you can't see those files, but you verified that the profiles were delivered (see the previous section), then it means that your profiles are misconfigured. Either you made this configuration profile "User Level" instead of "Computer Level," or you used a different Preference Domain instead of those that Microsoft Defender for Endpoint expects ("com.microsoft.wdav" and "com.microsoft.wdav.ext"). Refer to your MDM documentation for how to set up application configuration profiles. @@ -164,14 +164,14 @@ plutil -p "/Library/Managed\ Preferences/com.microsoft.wdav.plist" You can use the documented [Configuration profile structure](mac-preferences.md) as a guideline. -This article explains that "antivirusEngine", "edr", "tamperProtection" are settings at the top level of the configuration file. And, for example, "scanHistoryMaximumItems" are at the second level and are of integer type. +This article explains that "antivirusEngine," "edr," "tamperProtection" are settings at the top level of the configuration file. And, for example, "scanHistoryMaximumItems" are at the second level and are of integer type. -You should see this information in the output of the previous command. If you found out that "antivirusEngine" is nested under some other setting - then the profile is misconfigured. If you can see "antivirusengine" instead of "antivirusEngine", the name is misspelled and the whole subtree of settings are ignored. If `"scanHistoryMaximumItems" => "10000"`, the wrong type is used and the setting will be ignored. +You should see this information in the output of the previous command. If "antivirusEngine" is nested under some other setting - then the profile is misconfigured. If you can see "antivirus engine" instead of "antivirusEngine," the name is misspelled and the whole subtree of settings are ignored. If `"scanHistoryMaximumItems" => "10000"`, the wrong type is used to and the setting is ignored. ## Check that all profiles are deployed -You can download and run [analyze_profiles.py](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mdm). This script will collect and analyze all profiles deployed to a machine and warn you about missed ones. -Note that it can miss some errors, and it isn't aware of some design decisions that system administrators are making deliberately. Use this script for guidance, but always investigate if you see something marked as an error. For example, the onboarding guide tells you to deploy a configuration profile for onboarding blob. Yet, some organizations decide to run the manual onboarding script instead. analyze_profile.py warns you about the missed profile. You can either decide to onboard via configuration profile, or disregard the warning altogether. +You can download and run [analyze_profiles.py](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mdm). This script collects and analyzes all profiles deployed to a machine and warn you about missed ones. +It can miss some errors, and it isn't aware of some design decisions that system administrators are making deliberately. Use this script for guidance, but always investigate if you see something marked as an error. For example, the onboarding guide tells you to deploy a configuration profile for onboarding blob. Yet, some organizations decide to run the manual onboarding script instead. analyze_profile.py warns you about the missed profile. You can either decide to onboard via configuration profile, or disregard the warning altogether. ## Check installation status diff --git a/defender-endpoint/mac-jamfpro-device-groups.md b/defender-endpoint/mac-jamfpro-device-groups.md index 8796766d82..0d9ac150f3 100644 --- a/defender-endpoint/mac-jamfpro-device-groups.md +++ b/defender-endpoint/mac-jamfpro-device-groups.md @@ -2,8 +2,9 @@ title: Set up device groups in Jamf Pro description: Learn how to set up device groups in Jamf Pro for Microsoft Defender for Endpoint on macOS ms.service: defender-endpoint -author: YongRhee-MSFT -ms.author: yongrhee +author: emmwalshh +ms.author: ewalsh +ms.reviewer: joshbregman manager: deniseb ms.localizationpriority: medium audience: ITPro @@ -43,12 +44,12 @@ Set up the device groups similar to Group policy organizational unite (OUs), Mi :::image type="content" source="media/jamfpro-machine-group.png" alt-text="The Jamf Pro2 page" lightbox="media/jamfpro-machine-group.png"::: -4. Now you will see the **Contoso's Machine Group** under **Static Computer Groups**. +4. Now you see the **Contoso's Machine Group** under **Static Computer Groups**. :::image type="content" source="media/contoso-machine-group.png" alt-text="The Jamf Pro3 page" lightbox="media/contoso-machine-group.png"::: > [!NOTE] -> You are not required to use static groups. It is often more convenient and flexible to use e.g. [JAMF Pro's smart groups](https://docs.jamf.com/10.40.0/jamf-pro/documentation/Smart_Groups.html) instead. +> You aren't required to use static groups. It's often more convenient and flexible to use, for example, [JAMF Pro's smart groups](https://docs.jamf.com/10.40.0/jamf-pro/documentation/Smart_Groups.html) instead. ## Next step - [Set up Microsoft Defender for Endpoint on macOS policies in Jamf Pro](mac-jamfpro-policies.md) diff --git a/defender-endpoint/mac-jamfpro-enroll-devices.md b/defender-endpoint/mac-jamfpro-enroll-devices.md index 7435060604..19ff6f4d23 100644 --- a/defender-endpoint/mac-jamfpro-enroll-devices.md +++ b/defender-endpoint/mac-jamfpro-enroll-devices.md @@ -2,8 +2,9 @@ title: Enroll Microsoft Defender for Endpoint on macOS devices into Jamf Pro description: Enroll Microsoft Defender for Endpoint on macOS devices into Jamf Pro ms.service: defender-endpoint -author: YongRhee-MSFT -ms.author: yongrhee +author: emmwalshh +ms.author: ewalsh +ms.reviewer: joshbregman manager: deniseb ms.localizationpriority: medium audience: ITPro diff --git a/defender-endpoint/mac-jamfpro-policies.md b/defender-endpoint/mac-jamfpro-policies.md index 997686bc72..6220936246 100644 --- a/defender-endpoint/mac-jamfpro-policies.md +++ b/defender-endpoint/mac-jamfpro-policies.md @@ -2,10 +2,10 @@ title: Set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro description: Learn how to set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro. ms.service: defender-endpoint -author: denisebmsft -ms.author: deniseb +author: emmwalshh +ms.author: ewalsh manager: deniseb -ms.reviewer: yongrhee +ms.reviewer: joshbregman ms.localizationpriority: medium audience: ITPro ms.collection: diff --git a/defender-endpoint/mac-preferences.md b/defender-endpoint/mac-preferences.md index 412de76032..359afed0b2 100644 --- a/defender-endpoint/mac-preferences.md +++ b/defender-endpoint/mac-preferences.md @@ -2,10 +2,10 @@ title: Set preferences for Microsoft Defender for Endpoint on Mac description: Configure Microsoft Defender for Endpoint on Mac in enterprise organizations. ms.service: defender-endpoint -author: denisebmsft -ms.author: deniseb +author: emmwalshh +ms.author: ewalsh manager: deniseb -ms.reviewer: yongrhee +ms.reviewer: joshbregman ms.localizationpriority: medium audience: ITPro ms.collection: diff --git a/defender-endpoint/mac-privacy.md b/defender-endpoint/mac-privacy.md index 17f0d4d7d7..0c47713640 100644 --- a/defender-endpoint/mac-privacy.md +++ b/defender-endpoint/mac-privacy.md @@ -2,8 +2,9 @@ title: Privacy for Microsoft Defender for Endpoint on Mac description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender for Endpoint on Mac. ms.service: defender-endpoint -author: YongRhee-MSFT -ms.author: yongrhee +author: emmwalshh +ms.author: ewalsh +ms.reviewer: joshbregman manager: deniseb ms.localizationpriority: medium audience: ITPro diff --git a/defender-endpoint/mac-pua.md b/defender-endpoint/mac-pua.md index 4d1d28ac37..35927fb5ec 100644 --- a/defender-endpoint/mac-pua.md +++ b/defender-endpoint/mac-pua.md @@ -2,8 +2,9 @@ title: Detect and block potentially unwanted applications with Microsoft Defender for Endpoint on Mac description: Detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender for Endpoint on macOS. ms.service: defender-endpoint -author: YongRhee-MSFT -ms.author: yongrhee +author: emmwalshh +ms.author: ewalsh +ms.reviewer: joshbregman manager: deniseb ms.localizationpriority: medium audience: ITPro diff --git a/defender-endpoint/mac-resources.md b/defender-endpoint/mac-resources.md index 2a4ff16f35..d4b6cc82de 100644 --- a/defender-endpoint/mac-resources.md +++ b/defender-endpoint/mac-resources.md @@ -2,8 +2,9 @@ title: Resources for Microsoft Defender for Endpoint on Mac description: Resources for Microsoft Defender for Endpoint on Mac, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product. ms.service: defender-endpoint -author: YongRhee-MSFT -ms.author: yongrhee +author: emmwalshh +ms.author: ewalsh +ms.reviewer: joshbregman manager: deniseb ms.localizationpriority: medium audience: ITPro diff --git a/defender-endpoint/mac-schedule-scan.md b/defender-endpoint/mac-schedule-scan.md index b400c21cbb..9919e67a8c 100644 --- a/defender-endpoint/mac-schedule-scan.md +++ b/defender-endpoint/mac-schedule-scan.md @@ -2,10 +2,10 @@ title: How to schedule scans with Microsoft Defender for Endpoint on macOS description: Learn how to schedule an automatic scanning time for Microsoft Defender for Endpoint in macOS to better protect your organization's assets. ms.service: defender-endpoint -author: denisebmsft -ms.author: deniseb +author: emmwalshh +ms.author: ewalsh +ms.reviewer: joshbregman manager: deniseb -ms.reviewer: yonghree ms.localizationpriority: medium ms.date: 10/23/2024 audience: ITPro diff --git a/defender-endpoint/mac-support-install.md b/defender-endpoint/mac-support-install.md index a9b1b1e8e8..9b374157aa 100644 --- a/defender-endpoint/mac-support-install.md +++ b/defender-endpoint/mac-support-install.md @@ -2,8 +2,9 @@ title: Troubleshoot installation issues for Microsoft Defender for Endpoint on Mac description: Troubleshoot installation issues in Microsoft Defender for Endpoint on Mac. ms.service: defender-endpoint -author: YongRhee-MSFT -ms.author: yongrhee +author: emmwalshh +ms.author: ewalsh +ms.reviewer: joshbregman manager: deniseb ms.localizationpriority: medium audience: ITPro diff --git a/defender-endpoint/mac-support-license.md b/defender-endpoint/mac-support-license.md index be278d5199..e6197c0e9a 100644 --- a/defender-endpoint/mac-support-license.md +++ b/defender-endpoint/mac-support-license.md @@ -2,8 +2,9 @@ title: Troubleshoot license issues for Microsoft Defender for Endpoint on Mac description: Troubleshoot license issues in Microsoft Defender for Endpoint on Mac. ms.service: defender-endpoint -author: YongRhee-MSFT -ms.author: yongrhee +author: emmwalshh +ms.author: ewalsh +ms.reviewer: joshbregman manager: deniseb ms.localizationpriority: medium audience: ITPro diff --git a/defender-endpoint/mac-support-perf-overview.md b/defender-endpoint/mac-support-perf-overview.md index a8de6a8fec..fde720b40e 100644 --- a/defender-endpoint/mac-support-perf-overview.md +++ b/defender-endpoint/mac-support-perf-overview.md @@ -1,8 +1,9 @@ --- title: Overview for how to troubleshoot performance issues for Microsoft Defender for Endpoint on macOS description: Troubleshoot performance issues overview for Microsoft Defender for Endpoint on macOS. -author: YongRhee-MSFT -ms.author: yongrhee +author: emmwalshh +ms.author: ewalsh +ms.reviewer: joshbregman ms.service: defender-endpoint ms.topic: overview ms.localizationpriority: medium @@ -26,16 +27,16 @@ This article provides general guidelines to identify performance issues related Depending on the applications that you're running and your device characteristics, you might experience suboptimal performance when running Microsoft Defender for Endpoint on macOS. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender for Endpoint on macOS. > [!TIP] -> As a general best practice, it is recommended to [update the Microsoft Defender for Endpoint agent to latest available version](/defender-endpoint/mac-whatsnew) and confirming that the issue still persists before investigating further. +> As a general best practice, it's recommended to [update the Microsoft Defender for Endpoint agent to latest available version](/defender-endpoint/mac-whatsnew) and confirming that the issue still persists before investigating further. > [!CAUTION] -> Running other third-party endpoint protection products alongside Microsoft Defender for Endpoint on MacOS is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can configure Microsoft Defender Antivirus to run in **[Passive mode](mac-preferences.md)**. After you configure Passive mode, you can use Defender for Endpoint on Mac EDR functionality. +> Running other non-Microsoft endpoint protection products alongside Microsoft Defender for Endpoint on macOS is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can configure Microsoft Defender Antivirus to run in **[Passive mode](mac-preferences.md)**. After you configure Passive mode, you can use Defender for Endpoint on Mac EDR functionality. > [!WARNING] -> Before starting, make sure that other security products are not currently running on the device. Multiple security products might conflict and impact system performance. +> Before starting, make sure that other security products aren't currently running on the device. Multiple security products might conflict and affect system performance. > [!TIP] -> If you're running other third-party security products, make sure that the Microsoft Defender for Endpoint on macOS processes and paths are excluded from that 3rd party security product and that security product is excluded from Microsoft Defender for Endpoint on macOS. And vice-versa. +> If you're running other non-Microsoft security products, make sure that the Microsoft Defender for Endpoint on macOS processes and paths are excluded from that non-Microsoft security product and that security product is excluded from Microsoft Defender for Endpoint on macOS. And vice-versa. When troubleshooting performance issues for Microsoft Defender for Endpoint on macOS, you should review the **Activity Monitor** or run **top** to see which of the three (3) processes is leading the high cpu utilization |Daemon name|Component|Troubleshooting guide| @@ -44,5 +45,5 @@ When troubleshooting performance issues for Microsoft Defender for Endpoint on m |wdavdaemon_unprivileged| Antimalware (AV, EPP)|Review [Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS](mac-support-perf.md).| |wdavdaemon_enterprise| Endpoint Detection and Response (EDR)|Open a [Microsoft support case](contact-support.md).| -Additionally, gather [Defender for Endpoint Client Analyzer](run-analyzer-macos-linux.md) files while the issue occurs. This will be used by the support team to investigate the issue. +Additionally, gather [Defender for Endpoint Client Analyzer](run-analyzer-macos-linux.md) files while the issue occurs. This is used by the support team to investigate the issue. diff --git a/defender-endpoint/mac-support-perf.md b/defender-endpoint/mac-support-perf.md index 90559f02a1..5d2483f6cf 100644 --- a/defender-endpoint/mac-support-perf.md +++ b/defender-endpoint/mac-support-perf.md @@ -2,8 +2,9 @@ title: Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS description: Troubleshoot performance issues in Microsoft Defender for Endpoint on macOS. ms.service: defender-endpoint -author: YongRhee-MSFT -ms.author: yongrhee +author: emmwalshh +ms.author: ewalsh +ms.reviewer: joshbregman manager: deniseb ms.localizationpriority: medium audience: ITPro @@ -34,7 +35,7 @@ This article provides some general steps that can be used to narrow down perform Depending on the applications that you're running and your device characteristics, you might experience suboptimal performance when running Microsoft Defender for Endpoint on macOS. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Defender for Endpoint on macOS. > [!WARNING] -> Before you perform the procedures described in this article, make sure that other security products are not currently running on the device. Multiple security products can conflict and impact the host performance. +> Before you perform the procedures described in this article, make sure that other security products aren't currently running on the device. Multiple security products can conflict and affect the host performance. ## Troubleshoot performance issues using real-time protection statistics @@ -47,10 +48,10 @@ Real-time protection (RTP) is a feature of Defender for Endpoint on macOS that c Prerequisites: - Microsoft Defender for Endpoint version (Platform Update) 100.90.70 or newer -- If you have [Tamper protection](tamperprotection-macos.md) turned on in block mode, use [Troubleshooting mode](mac-troubleshoot-mode.md) to capture real-time-protection-statistics. Otherwise, you will get null results. +- If you have [Tamper protection](tamperprotection-macos.md) turned on in block mode, use [Troubleshooting mode](mac-troubleshoot-mode.md) to capture real-time-protection-statistics. Otherwise, you'll get null results. > [!TIP] -> As a general best practice, it is recommended to update the [Microsoft Defender for Endpoint agent to latest available version](linux-whatsnew.md) and confirming that the issue still persists before investigating further. +> As a general best practice, it's recommended to update the [Microsoft Defender for Endpoint agent to latest available version](linux-whatsnew.md) and confirming that the issue still persists before investigating further. To troubleshoot and mitigate performance issues, follow these steps: @@ -98,7 +99,7 @@ To troubleshoot and mitigate performance issues, follow these steps: ``` > [!NOTE] - > Using `--output json` (note the double dash) ensures that the output format is ready for parsing. The output of this command will show all processes and their associated scan activity. + > Using `--output json` (note the double dash) ensures that the output format is ready for parsing. The output of this command shows all processes and their associated scan activity. 6. On your Mac system, download the sample Python parser `high_cpu_parser.py` using the command: ```bash @@ -148,7 +149,7 @@ To troubleshoot and mitigate performance issues, follow these steps: 8. To improve the performance of Defender for Endpoint on Mac, locate the one with the highest number under the **Total files scanned** row, and then add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint on macOS](mac-exclusions.md). > [!NOTE] - > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. + > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off aren't counted. Additionally, only events which triggered scans are counted. 9. Configure Microsoft Defender for Endpoint on macOS with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. @@ -161,4 +162,4 @@ The Microsoft Defender for Endpoint Client Analyzer (MDECA) can collect traces, To run the client analyzer for troubleshooting performance issues, see [Run the client analyzer on macOS and Linux](run-analyzer-macos-linux.md). > [!NOTE] -> The Microsoft Defender for Endpoint Client Analyzer tool is regularly used by Microsoft Customer Support Services (CSS) to collect information such as (but not limited to) IP addresses, PC names that will help troubleshoot issues you may be experiencing with Microsoft Defender for Endpoint. For more information about our privacy statement, see [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement). +> The Microsoft Defender for Endpoint Client Analyzer tool is regularly used by Microsoft Customer Support Services (CSS) to collect information such as (but not limited to) IP addresses, PC names that help troubleshoot issues you might be experiencing with Microsoft Defender for Endpoint. For more information about our privacy statement, see [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement). diff --git a/defender-endpoint/mac-support-sys-ext.md b/defender-endpoint/mac-support-sys-ext.md index 2b1f97256c..86fa70a210 100644 --- a/defender-endpoint/mac-support-sys-ext.md +++ b/defender-endpoint/mac-support-sys-ext.md @@ -2,8 +2,9 @@ title: Troubleshoot system extension issues for Microsoft Defender for Endpoint on macOS description: Troubleshoot system extension issues in Microsoft Defender for Endpoint on macOS. ms.service: defender-endpoint -author: YongRhee-MSFT -ms.author: yongrhee +author: emmwalsh +ms.author: ewalsh +ms.reviewer: joshbregman manager: deniseb ms.localizationpriority: medium audience: ITPro diff --git a/defender-endpoint/mac-sysext-policies.md b/defender-endpoint/mac-sysext-policies.md index a45707f6c9..d347e86404 100644 --- a/defender-endpoint/mac-sysext-policies.md +++ b/defender-endpoint/mac-sysext-policies.md @@ -3,8 +3,9 @@ title: New configuration profiles for macOS Big Sur and newer versions of macOS description: This topic describes the changes that are must be made in order to benefit from the system extensions, which are a replacement for kernel extensions on macOS Big Sur and newer versions of macOS. search.appverid: met150 ms.service: defender-endpoint -author: YongRhee-MSFT -ms.author: yongrhee +author: emmwalshh +ms.author: ewalsh +ms.reviewer: joshbregman manager: deniseb ms.localizationpriority: medium audience: ITPro diff --git a/defender-endpoint/mac-troubleshoot-mode.md b/defender-endpoint/mac-troubleshoot-mode.md index 8e0e6fe3b7..e397998748 100644 --- a/defender-endpoint/mac-troubleshoot-mode.md +++ b/defender-endpoint/mac-troubleshoot-mode.md @@ -2,8 +2,9 @@ title: Troubleshooting mode in Microsoft Defender for Endpoint on macOS description: This article describes how to enable the troubleshooting mode in Microsoft Defender for Endpoint on macOS. ms.service: defender-endpoint -author: YongRhee-MSFT -ms.author: yongrhee +author: emmwalshh +ms.author: ewalsh +ms.reviewer: joshbregman manager: deniseb ms.localizationpriority: medium audience: ITPro diff --git a/defender-endpoint/mac-troubleshoot-netext-mde.md b/defender-endpoint/mac-troubleshoot-netext-mde.md index 22aad570c9..ac27abb21c 100644 --- a/defender-endpoint/mac-troubleshoot-netext-mde.md +++ b/defender-endpoint/mac-troubleshoot-netext-mde.md @@ -2,10 +2,10 @@ title: Troubleshoot Network Extension issues in Microsoft Defender for Endpoint on Mac description: Learn how to troubleshoot issues with the network extension (NetExt) that's installed as part of Microsoft Defender for Endpoint on macOS. ms.service: defender-endpoint -author: denisebmsft -ms.author: deniseb +author: emmwalshh +ms.author: ewalsh manager: deniseb -ms.reviewer: yongrhee +ms.reviewer: joshbregman ms.localizationpriority: medium audience: ITPro ms.collection: diff --git a/defender-endpoint/mac-updates.md b/defender-endpoint/mac-updates.md index 75b6b7c293..94e919a54f 100644 --- a/defender-endpoint/mac-updates.md +++ b/defender-endpoint/mac-updates.md @@ -2,8 +2,9 @@ title: Deploy updates for Microsoft Defender for Endpoint on Mac description: Control updates for Microsoft Defender for Endpoint on Mac in enterprise environments. ms.service: defender-endpoint -author: YongRhee-MSFT -ms.author: yongrhee +author: emmwalshh +ms.author: ewalsh +ms.reviewer: joshbregman manager: deniseb ms.localizationpriority: medium audience: ITPro diff --git a/defender-endpoint/mac-whatsnew.md b/defender-endpoint/mac-whatsnew.md index bad135f605..b54a00412f 100644 --- a/defender-endpoint/mac-whatsnew.md +++ b/defender-endpoint/mac-whatsnew.md @@ -2,8 +2,9 @@ title: What's new in Microsoft Defender for Endpoint on Mac description: Learn about the major changes for previous versions of Microsoft Defender for Endpoint on Mac. ms.service: defender-endpoint -author: deniseb -ms.author: deniseb +author: emmwalshh +ms.author: ewalsh +ms.reviewer: joshbregman manager: deniseb ms.localizationpriority: medium ms.date: 01/24/2025 @@ -15,7 +16,6 @@ ms.collection: ms.topic: reference ms.subservice: macos search.appverid: met150 -ms.reviewer: mavel --- # What's new in Microsoft Defender for Endpoint on Mac diff --git a/defender-endpoint/manage-sys-extensions-using-jamf.md b/defender-endpoint/manage-sys-extensions-using-jamf.md index ea74e7c3c8..fd14402f71 100644 --- a/defender-endpoint/manage-sys-extensions-using-jamf.md +++ b/defender-endpoint/manage-sys-extensions-using-jamf.md @@ -2,8 +2,9 @@ title: Manage system extensions using Jamf description: Manage system extensions using Jamf for Microsoft Defender for Endpoint to work properly on macOS. ms.service: defender-endpoint -ms.author: deniseb -author: denisebmsft +ms.author: ewalsh +author: emmwalshh +ms.reviewer: joshbregman ms.localizationpriority: medium manager: deniseb audience: ITPro diff --git a/defender-endpoint/microsoft-defender-endpoint-mac.md b/defender-endpoint/microsoft-defender-endpoint-mac.md index 702b4ca1fc..3c0da149fa 100644 --- a/defender-endpoint/microsoft-defender-endpoint-mac.md +++ b/defender-endpoint/microsoft-defender-endpoint-mac.md @@ -1,10 +1,10 @@ --- title: Microsoft Defender for Endpoint on Mac -ms.reviewer: yongrhee, pahuijbr +ms.reviewer: joshbregman description: Learn how to install, configure, update, and use Microsoft Defender for Endpoint on Mac. ms.service: defender-endpoint -ms.author: deniseb -author: denisebmsft +author: emmwalshh +ms.author: ewalsh ms.localizationpriority: medium manager: deniseb audience: ITPro @@ -31,10 +31,10 @@ ms.date: 10/15/2024 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) -This topic describes how to install, configure, update, and use Defender for Endpoint on Mac. +This article describes how to install, configure, update, and use Defender for Endpoint on Mac. > [!CAUTION] -> Running other third-party endpoint protection products alongside Microsoft Defender for Endpoint on Mac is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of Defender for Endpoint on Mac EDR functionality after configuring the antivirus functionality to run in [Passive mode](mac-preferences.md#enforcement-level-for-antivirus-engine). +> Running other non-Microsoft endpoint protection products alongside Microsoft Defender for Endpoint on Mac is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of Defender for Endpoint on Mac EDR functionality after configuring the antivirus functionality to run in [Passive mode](mac-preferences.md#enforcement-level-for-antivirus-engine). ## What's new in the latest release @@ -53,7 +53,7 @@ To get the latest features, including preview capabilities (such as endpoint det - A Defender for Endpoint subscription and access to the Microsoft Defender portal - Beginner-level experience in macOS and BASH scripting -- Administrative privileges on the device (in case of manual deployment) +- Administrative privileges on the device (in manual deployment) ### Installation instructions @@ -80,7 +80,7 @@ These four most recent major releases of macOS are supported. - Beta versions of macOS aren't supported. > [!IMPORTANT] -> On macOS 11 (Big Sur) and later, Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [New configuration profiles for macOS Big Sur and newer versions of macOS](mac-sysext-policies.md) and detailed in [installation instructions](#installation-instructions). +> On macOS 11 (Large Sur) and later, Microsoft Defender for Endpoint requires more configuration profiles. If you're an existing customer upgrading from earlier versions of macOS, make sure to deploy the extra configuration profiles listed on [New configuration profiles for macOS Big Sur and newer versions of macOS](mac-sysext-policies.md) and detailed in [installation instructions](#installation-instructions). After you've enabled the service, you might need to configure your network or firewall to allow outbound connections between it and your endpoints. @@ -98,8 +98,8 @@ Microsoft Defender for Endpoint on Mac requires one of the following Microsoft V - Microsoft Defender for Endpoint P1 (included in [Microsoft 365 E3](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-plan-1-now-included-in-m365-e3/ba-p/3060639)) > [!NOTE] -> Eligible licensed users may use Microsoft Defender for Endpoint on up to five concurrent devices. -> Microsoft Defender for Endpoint is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it does not require Microsoft Volume Licensing offers listed. +> Eligible licensed users might use Microsoft Defender for Endpoint on up to five concurrent devices. +> Microsoft Defender for Endpoint is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it doesn't require Microsoft Volume Licensing offers listed. ### Configuring Exclusions @@ -118,8 +118,8 @@ Microsoft Defender for Endpoint can connect through a proxy server by using the If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. > [!WARNING] -> Authenticated proxies are not supported. Ensure that only PAC, WPAD, or a static proxy is being used. -> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender for Endpoint on macOS to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception. +> Authenticated proxies aren't supported. Ensure that only PAC, WPAD, or a static proxy is being used. +> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender for Endpoint on macOS to the relevant URLs without interception. Adding your interception certificate to the global store won't allow for interception. #### Test network connectivity @@ -156,11 +156,11 @@ Guidance for how to configure the product in enterprise environments is availabl ## macOS kernel and system extensions -Starting with macOS 11 (Big Sur), Microsoft Defender for Endpoint has been fully migrated from kernel extension to system extensions. +Starting with macOS 11 (Significant Sur), Microsoft Defender for Endpoint has been fully migrated from kernel extension to system extensions. ## Resources -- For more information about logging, uninstalling, or other topics, see [Resources for Microsoft Defender for Endpoint on Mac](mac-resources.md). +- For more information about logging, uninstalling, or other articles, see [Resources for Microsoft Defender for Endpoint on Mac](mac-resources.md). - [Privacy for Microsoft Defender for Endpoint on Mac](mac-privacy.md). - [Turn on Network protection for macOS](network-protection-macos.md) diff --git a/defender-endpoint/run-analyzer-macos.md b/defender-endpoint/run-analyzer-macos.md index 1a6c3384e2..7d67f5a60c 100644 --- a/defender-endpoint/run-analyzer-macos.md +++ b/defender-endpoint/run-analyzer-macos.md @@ -1,10 +1,10 @@ --- title: Run the client analyzer on macOS description: Learn how to use the Defender for Endpoint Client Analyzer on Mac to identify health or performance issue causes. -author: denisebmsft -ms.author: deniseb -manager: deniseb -ms.reviewer: yongrhee +ms.author: ewalsh +author: emmwalshh +manager: ewalsh +ms.reviewer: joshbregman ms.service: defender-endpoint ms.subservice: macos ms.localizationpriority: medium diff --git a/defender-endpoint/troubleshoot-cloud-connect-mdemac.md b/defender-endpoint/troubleshoot-cloud-connect-mdemac.md index 32af7dc69e..431f41500d 100644 --- a/defender-endpoint/troubleshoot-cloud-connect-mdemac.md +++ b/defender-endpoint/troubleshoot-cloud-connect-mdemac.md @@ -1,9 +1,10 @@ --- title: Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on macOS -description: This topic describes how to troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on macOS +description: This article describes how to troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on macOS ms.service: defender-endpoint -ms.author: deniseb -author: denisebmsft +author: emmwalshh +ms.author: ewalsh +ms.reviewer: joshbregman ms.localizationpriority: medium manager: deniseb audience: ITPro @@ -29,7 +30,7 @@ ms.date: 03/25/2021 **Platform** macOS -This topic describes how to Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on macOS. +This article describes how to Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on macOS. ## Run the connectivity test To test if Defender for Endpoint on Mac can communicate to the cloud with the current network settings, run a connectivity test from the command line: @@ -38,7 +39,7 @@ To test if Defender for Endpoint on Mac can communicate to the cloud with the cu mdatp connectivity test ``` -expected output: +Expected output: ```Bash Testing connection with https://cdn.x.cp.wd.microsoft.com/ping ... [OK] Testing connection with https://eu-cdn.x.cp.wd.microsoft.com/ping ... [OK] @@ -56,18 +57,18 @@ Testing connection with https://uk-v20.events.data.microsoft.com/ping ... [OK] Testing connection with https://v20.events.data.microsoft.com/ping ... [OK] ``` -If the connectivity test fails, check if the device has Internet access and if [any of the endpoints required by the product](microsoft-defender-endpoint-mac.md#network-connections) are blocked by a proxy or firewall. +If the connectivity test fails, check if the device has Internet access and if [any of the endpoints required by the product](microsoft-defender-endpoint-mac.md#network-connections) is blocked by a proxy or firewall. -Failures with curl error 35 or 60 indicate certificate pinning rejection, which indicates a potential issue with SSL or HTTPS inspection. See instructions below regarding SSL inspection configuration. +Failures with curl error 35 or 60 indicate certificate pinning rejection, which indicates a potential issue with SSL or HTTPS inspection. See instructions regarding SSL inspection configuration. ## Troubleshooting steps for environments without proxy or with Proxy autoconfig (PAC) or with Web Proxy Autodiscovery Protocol (WPAD) -Use the following procedure to test that a connection is not blocked in an environment without a proxy or with Proxy autoconfig (PAC) or with Web Proxy Autodiscovery Protocol (WPAD). +Use the following procedure to test that a connection isn't blocked in an environment without a proxy or with Proxy autoconfig (PAC) or with Web Proxy Autodiscovery Protocol (WPAD). If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. > [!WARNING] -> Authenticated proxies are not supported. Ensure that only PAC, WPAD, or a static proxy is being used. SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender for Endpoint on macOS to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception. -To test that a connection is not blocked: +> Authenticated proxies aren't supported. Ensure that only PAC, WPAD, or a static proxy is being used. SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender for Endpoint on macOS to the relevant URLs without interception. Adding your interception certificate to the global store won't allow for interception. +To test that a connection isn't blocked: In a browser such as Microsoft Edge for Mac or Safari open https://x.cp.wd.microsoft.com/api/report and https://cdn.x.cp.wd.microsoft.com/ping. Optionally, in Terminal, run the following command: diff --git a/defender-office-365/anti-malware-policies-configure.md b/defender-office-365/anti-malware-policies-configure.md index 2dd0b8a9e1..c5c1e38929 100644 --- a/defender-office-365/anti-malware-policies-configure.md +++ b/defender-office-365/anti-malware-policies-configure.md @@ -17,7 +17,7 @@ ms.collection: description: Admins can learn how to view, create, modify, and remove anti-malware policies in Exchange Online Protection (EOP). ms.custom: ms.service: defender-office-365 -ms.date: 01/06/2025 +ms.date: 01/29/2025 appliesto: - ✅ Exchange Online Protection - ✅ Microsoft Defender for Office 365 Plan 1 and Plan 2 @@ -81,6 +81,9 @@ You can configure anti-malware policies in the Microsoft Defender portal or in P - The specified Microsoft 365 Groups. - **Domains**: All recipients in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). + > [!TIP] + > Subdomains are automatically included unless you specifically exclude them. For example, a policy that includes contoso.com also includes marketing.contoso.com unless you exclude marketing.contoso.com. + Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value. For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\*) by itself to see all available values. diff --git a/defender-office-365/anti-phishing-policies-eop-configure.md b/defender-office-365/anti-phishing-policies-eop-configure.md index d5395de25c..37d34713dd 100644 --- a/defender-office-365/anti-phishing-policies-eop-configure.md +++ b/defender-office-365/anti-phishing-policies-eop-configure.md @@ -16,7 +16,7 @@ ms.custom: description: Admins can learn how to create, modify, and delete the anti-phishing policies that are available in Exchange Online Protection (EOP) organizations with or without Exchange Online mailboxes. ms.service: defender-office-365 search.appverid: met150 -ms.date: 01/06/2025 +ms.date: 01/29/2025 appliesto: - ✅ Exchange Online Protection --- @@ -78,6 +78,9 @@ For anti-phishing policy procedures in organizations with Microsoft Defender for - The specified Microsoft 365 Groups. - **Domains**: All recipients in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). + > [!TIP] + > Subdomains are automatically included unless you specifically exclude them. For example, a policy that includes contoso.com also includes marketing.contoso.com unless you exclude marketing.contoso.com. + Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value. For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\*) by itself to see all available values. diff --git a/defender-office-365/anti-phishing-policies-mdo-configure.md b/defender-office-365/anti-phishing-policies-mdo-configure.md index 267d667eee..fbccedd48e 100644 --- a/defender-office-365/anti-phishing-policies-mdo-configure.md +++ b/defender-office-365/anti-phishing-policies-mdo-configure.md @@ -16,7 +16,7 @@ ms.custom: description: Admins can learn how to create, modify, and delete the advanced anti-phishing policies that are available in organizations with Microsoft Defender for Office 365. ms.service: defender-office-365 search.appverid: met150 -ms.date: 4/8/2024 +ms.date: 01/29/2025 appliesto: - ✅ Microsoft Defender for Office 365 Plan 1 and Plan 2 - ✅ Microsoft Defender XDR @@ -84,6 +84,9 @@ For anti-phishing policy procedures in organizations without Defender for Office - The specified Microsoft 365 Groups. - **Domains**: All recipients in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). + > [!TIP] + > Subdomains are automatically included unless you specifically exclude them. For example, a policy that includes contoso.com also includes marketing.contoso.com unless you exclude marketing.contoso.com. + Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value. For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\*) by itself to see all available values. diff --git a/defender-office-365/anti-spam-policies-configure.md b/defender-office-365/anti-spam-policies-configure.md index 9b95a122e8..dbd1581ae9 100644 --- a/defender-office-365/anti-spam-policies-configure.md +++ b/defender-office-365/anti-spam-policies-configure.md @@ -16,7 +16,7 @@ ms.collection: ms.custom: description: Admins can learn how to view, create, modify, and delete anti-spam policies in Exchange Online Protection (EOP). ms.service: defender-office-365 -ms.date: 01/06/2025 +ms.date: 01/29/2025 appliesto: - ✅ Exchange Online Protection - ✅ Microsoft Defender for Office 365 Plan 1 and Plan 2 @@ -86,6 +86,9 @@ You can configure anti-spam policies in the Microsoft Defender portal or in Powe - The specified Microsoft 365 Groups. - **Domains**: All recipients in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). + > [!TIP] + > Subdomains are automatically included unless you specifically exclude them. For example, a policy that includes contoso.com also includes marketing.contoso.com unless you exclude marketing.contoso.com. + Click in the appropriate box, start typing a value, and then select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value. For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\*) by itself to see all available values. diff --git a/defender-office-365/outbound-spam-policies-configure.md b/defender-office-365/outbound-spam-policies-configure.md index e462ba17e4..a252ad70bf 100644 --- a/defender-office-365/outbound-spam-policies-configure.md +++ b/defender-office-365/outbound-spam-policies-configure.md @@ -18,7 +18,7 @@ ms.custom: - seo-marvel-apr2020 description: Admins can learn how to view, create, modify, and delete outbound spam policies in Exchange Online Protection (EOP). ms.service: defender-office-365 -ms.date: 08/01/2024 +ms.date: 01/29/2025 appliesto: - ✅ Exchange Online Protection - ✅ Microsoft Defender for Office 365 Plan 1 and Plan 2 @@ -78,6 +78,9 @@ You can configure outbound spam policies in the Microsoft Defender portal or in - The specified Microsoft 365 Groups. - **Domains**: All senders in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). + > [!TIP] + > Subdomains are automatically included unless you specifically exclude them. For example, a policy that includes contoso.com also includes marketing.contoso.com unless you exclude marketing.contoso.com. + Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value. For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\*) by itself to see all available values. diff --git a/defender-office-365/preset-security-policies.md b/defender-office-365/preset-security-policies.md index 598e852005..3f990f7bba 100644 --- a/defender-office-365/preset-security-policies.md +++ b/defender-office-365/preset-security-policies.md @@ -16,7 +16,7 @@ ms.custom: description: Admins can learn how to apply Standard and Strict policy settings across the protection features of Exchange Online Protection (EOP) and Microsoft Defender for Office 365 ms.service: defender-office-365 search.appverid: met150 -ms.date: 11/2/2023 +ms.date: 01/29/2025 appliesto: - ✅ Exchange Online Protection - ✅ Microsoft Defender for Office 365 Plan 1 and Plan 2 @@ -76,6 +76,9 @@ The rest of this article how to configure preset security policies. - The specified Microsoft 365 Groups. - **Domains**: All recipients in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). + > [!TIP] + > Subdomains are automatically included unless you specifically exclude them. For example, a policy that includes contoso.com also includes marketing.contoso.com unless you exclude marketing.contoso.com. + Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value. For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\*) by itself to see all available values. diff --git a/defender-office-365/quarantine-faq.yml b/defender-office-365/quarantine-faq.yml index ceeea17a44..e77fc184aa 100644 --- a/defender-office-365/quarantine-faq.yml +++ b/defender-office-365/quarantine-faq.yml @@ -269,7 +269,7 @@ sections: answer: | **Block sender** is disabled by default for quarantined messages. - For end users, admins can create and assign a custom quarantine policy that includes the **Block sender** action. For more information, see [Quarantine policies](quarantine policies). + For end users, admins can create and assign a custom quarantine policy that includes the **Block sender** action. For more information, see [Quarantine policies](quarantine-policies.md). Admins see **Block sender** only if they filter the quarantine results by **Recipient** \> **Only me** instead of the default value **All users**. diff --git a/defender-office-365/safe-attachments-policies-configure.md b/defender-office-365/safe-attachments-policies-configure.md index 8560ad113f..d1db9668de 100644 --- a/defender-office-365/safe-attachments-policies-configure.md +++ b/defender-office-365/safe-attachments-policies-configure.md @@ -18,7 +18,7 @@ ms.collection: description: Learn about how to define Safe Attachments policies to protect your organization from malicious files in email. ms.custom: seo-marvel-apr2020 ms.service: defender-office-365 -ms.date: 01/06/2025 +ms.date: 01/29/2025 appliesto: - ✅ Microsoft Defender for Office 365 Plan 1 and Plan 2 - ✅ Microsoft Defender XDR @@ -93,6 +93,9 @@ You configure Safe Attachments policies in the Microsoft Defender portal or in E - The specified Microsoft 365 Groups. - **Domains**: All recipients in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). + > [!TIP] + > Subdomains are automatically included unless you specifically exclude them. For example, a policy that includes contoso.com also includes marketing.contoso.com unless you exclude marketing.contoso.com. + Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="media/m365-cc-sc-remove-selection-icon.png"::: next to the value. For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values. diff --git a/defender-office-365/safe-links-policies-configure.md b/defender-office-365/safe-links-policies-configure.md index 77020f6d84..718313dbdb 100644 --- a/defender-office-365/safe-links-policies-configure.md +++ b/defender-office-365/safe-links-policies-configure.md @@ -18,7 +18,7 @@ ms.collection: ms.custom: description: Admins can learn how to view, create, modify, and delete Safe Links policies in Microsoft Defender for Office 365. ms.service: defender-office-365 -ms.date: 01/06/2025 +ms.date: 01/29/2025 appliesto: - ✅ Microsoft Defender for Office 365 Plan 1 and Plan 2 - ✅ Microsoft Defender XDR @@ -91,6 +91,9 @@ You configure Safe Links policies in the Microsoft Defender portal or in Exchang - The specified Microsoft 365 Groups. - **Domains**: All recipients in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). + > [!TIP] + > Subdomains are automatically included unless you specifically exclude them. For example, a policy that includes contoso.com also includes marketing.contoso.com unless you exclude marketing.contoso.com. + Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="media/m365-cc-sc-remove-selection-icon.png"::: next to the value. For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values. diff --git a/defender-office-365/try-microsoft-defender-for-office-365.md b/defender-office-365/try-microsoft-defender-for-office-365.md index dab953f8e6..0ac4503f89 100644 --- a/defender-office-365/try-microsoft-defender-for-office-365.md +++ b/defender-office-365/try-microsoft-defender-for-office-365.md @@ -18,7 +18,7 @@ ms.collection: ms.custom: ms.service: defender-office-365 ROBOTS: -ms.date: 12/10/2024 +ms.date: 01/29/2025 --- # Try Microsoft Defender for Office 365 @@ -177,6 +177,9 @@ Remember, when you evaluate or try Defender for Office 365 in audit mode, specia - The specified Microsoft 365 Groups. - **Domains**: All recipients in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). + > [!TIP] + > Subdomains are automatically included unless you specifically exclude them. For example, a policy that includes contoso.com also includes marketing.contoso.com unless you exclude marketing.contoso.com. + Click in the box, start typing a value, and select the value from the results below the box. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value in the box. For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values. @@ -247,6 +250,9 @@ Remember, when you try Defender for Office 365 in **blocking mode**, the Standar - The specified Microsoft 365 Groups. - **Domains**: All recipients in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). + > [!TIP] + > Subdomains are automatically included unless you specifically exclude them. For example, a policy that includes contoso.com also includes marketing.contoso.com unless you exclude marketing.contoso.com. + Click in the box, start typing a value, and select the value from the results below the box. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value in the box. For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values. diff --git a/defender-xdr/advanced-hunting-cloudappevents-table.md b/defender-xdr/advanced-hunting-cloudappevents-table.md index e49a74145d..6c2569f8ee 100644 --- a/defender-xdr/advanced-hunting-cloudappevents-table.md +++ b/defender-xdr/advanced-hunting-cloudappevents-table.md @@ -39,13 +39,13 @@ For information on other tables in the advanced hunting schema, [see the advance | `ActionType` | `string` | Type of activity that triggered the event | | `Application` | `string` | Application that performed the recorded action | | `ApplicationId` | `int` | Unique identifier for the application | -| `AppInstanceId` | `int` | Unique identifier for the instance of an application. To convert this to Microsoft Defender for Cloud Apps App-connector-ID, use `CloudAppEvents| distinct ApplicationId,AppInstanceId,binary_or(binary_shift_left(AppInstanceId,20),ApplicationId|order by ApplicationId,AppInstanceId` | +| `AppInstanceId` | `int` | Unique identifier for the instance of an application. To convert this to Microsoft Defender for Cloud Apps App-connector-ID, use `CloudAppEvents| distinct ApplicationId,AppInstanceId,binary_or(binary_shift_left(AppInstanceId,20),Application|order by ApplicationId,AppInstanceId` | | `AccountObjectId` | `string` | Unique identifier for the account in Microsoft Entra ID | | `AccountId` | `string` | An identifier for the account as found by Microsoft Defender for Cloud Apps. Could be Microsoft Entra ID, user principal name, or other identifiers. | | `AccountDisplayName` | `string` | Name displayed in the address book entry for the account user. This is usually a combination of the given name, middle initial, and surname of the user. | | `IsAdminOperation` | `bool` | Indicates whether the activity was performed by an administrator | | `DeviceType` | `string` | Type of device based on purpose and functionality, such as network device, workstation, server, mobile, gaming console, or printer | -| `OSPlatform` | `string` | Platform of the operating system running on the device. This column indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10 and Windows 7. | +| `OSPlatform` | `string` | Platform of the operating system running on the device. This column indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10, and Windows 7. | | `IPAddress` | `string` | IP address assigned to the device during communication | | `IsAnonymousProxy` | `boolean` | Indicates whether the IP address belongs to a known anonymous proxy | | `CountryCode` | `string` | Two-letter code indicating the country where the client IP address is geolocated | @@ -67,10 +67,10 @@ For information on other tables in the advanced hunting schema, [see the advance | `RawEventData` | `dynamic` | Raw event information from the source application or service in JSON format | | `AdditionalFields` | `dynamic` | Additional information about the entity or event | | `LastSeenForUser` | `dynamic`|Indicates the number of days since a specific attribute was last seen for the user. A value of 0 means the attribute was seen today, a negative value indicates the attribute is being seen for the first time, and a positive value represents the number of days since the attribute was last seen. For example: `{"ActionType":"0","OSPlatform":"4","ISP":"-1"}`| -| `UncommonForUser` | `dynamic`|Lists the attributes in the event that are considered uncommon for the user. Using this data can help rule out false positives and find anomalies. For example: `["ActivityType","ActionType"]`| -| `AuditSource` | `string` |Audit data source. Possible values are one of the following:
- Defender for Cloud Apps access control
- Defender for Cloud Apps session control
- Defender for Cloud Apps app connector | +| `UncommonForUser` | `dynamic`|Lists the attributes in the event that are uncommon for the user, helping to rule out false positives and find anomalies. For example: `["ActivityType","ActionType"].` To filter out nonanomalous results: events with low or insignificant security value won't go through enrichment processes and will have a value of "", while high-value events will go through enrichment processes and, if no anomalies are found, will have a value of "[]".| +| `AuditSource` | `string` |Audit data source. Possible values are one of the following:
- Defender for Cloud Apps access control
- Defender for Cloud Apps session control
- Defender for Cloud Apps app connector | | `SessionData` |`dynamic` |The Defender for Cloud Apps session ID for access or session control. For example: `{InLineSessionId:"232342"}` | -|`OAuthAppId`|`string`|A unique identifier that is assigned to an application when it is registered to Microsoft Entra with OAuth 2.0 protocol.| +|`OAuthAppId`|`string`|A unique identifier that is assigned to an application when it's registered to Microsoft Entra with OAuth 2.0 protocol.| ## Apps and services covered diff --git a/defender-xdr/malware-naming.md b/defender-xdr/malware-naming.md index 6ec393bbe7..ccd85b1267 100644 --- a/defender-xdr/malware-naming.md +++ b/defender-xdr/malware-naming.md @@ -9,12 +9,10 @@ author: dansimp manager: dansimp audience: ITPro ms.collection: -- m365-security -- tier2 - must-keep ms.topic: reference search.appverid: met150 -ms.date: 08/18/2023 +ms.date: 01/29/2024 --- # Malware names @@ -41,7 +39,7 @@ Describes what the malware does on your computer. Worms, viruses, trojans, backd * Misleading * MonitoringTool * Program -* Personal Web Server (PWS) +* Password Stealer (PWS) * Ransom * RemoteAccess * Rogue diff --git a/defender-xdr/mto-requirements.md b/defender-xdr/mto-requirements.md index 01cb68d361..2809a9a203 100644 --- a/defender-xdr/mto-requirements.md +++ b/defender-xdr/mto-requirements.md @@ -8,15 +8,15 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: - - m365-security - - highpri - - tier1 - - usx-security +- m365-security +- highpri +- tier1 +- usx-security ms.topic: conceptual -ms.date: 08/19/2024 +ms.date: 01/29/2025 appliesto: - - Microsoft Defender XDR - - Microsoft Sentinel in the Microsoft Defender portal +- Microsoft Defender XDR +- Microsoft Sentinel in the Microsoft Defender portal --- # Set up Microsoft Defender multitenant management @@ -81,8 +81,8 @@ The first time you use Microsoft Defender multitenant management, you need setup 3. Choose the tenants you want to manage and select **Add** ->[!Note] -> The Microsoft Defender multitenant view currently has a limit of 50 target tenants. +> [!Note] +> The Microsoft Defender multitenant view currently has a limit of 100 target tenants. The features available in multitenant management now appear on the navigation bar and you're ready to view and manage security data across all your tenants. diff --git a/unified-secops-platform/TOC.yml b/unified-secops-platform/TOC.yml index 570cb53457..9ad941ecc8 100644 --- a/unified-secops-platform/TOC.yml +++ b/unified-secops-platform/TOC.yml @@ -47,6 +47,8 @@ href: reduce-risk-overview.md - name: Detect threats href: detect-threats-overview.md + - name: Uncover adversaries with threat intel + href: threat-intelligence-overview.md - name: Hunt for threats items: - name: Overview diff --git a/unified-secops-platform/media/threat-intel-overview/usx-intel-explorer.png b/unified-secops-platform/media/threat-intel-overview/usx-intel-explorer.png new file mode 100644 index 0000000000..0342fd909f Binary files /dev/null and b/unified-secops-platform/media/threat-intel-overview/usx-intel-explorer.png differ diff --git a/unified-secops-platform/media/threat-intel-overview/usx-sentinel-new-stix-object.png b/unified-secops-platform/media/threat-intel-overview/usx-sentinel-new-stix-object.png new file mode 100644 index 0000000000..b5c45ba41c Binary files /dev/null and b/unified-secops-platform/media/threat-intel-overview/usx-sentinel-new-stix-object.png differ diff --git a/unified-secops-platform/media/threat-intel-overview/usx-threat-analytics.png b/unified-secops-platform/media/threat-intel-overview/usx-threat-analytics.png new file mode 100644 index 0000000000..2e41404043 Binary files /dev/null and b/unified-secops-platform/media/threat-intel-overview/usx-threat-analytics.png differ diff --git a/unified-secops-platform/media/threat-intel-overview/usx-threat-intel.png b/unified-secops-platform/media/threat-intel-overview/usx-threat-intel.png new file mode 100644 index 0000000000..12eba500b4 Binary files /dev/null and b/unified-secops-platform/media/threat-intel-overview/usx-threat-intel.png differ diff --git a/unified-secops-platform/media/whats-new/intel-management-navigation.png b/unified-secops-platform/media/whats-new/intel-management-navigation.png new file mode 100644 index 0000000000..1b4a4bc524 Binary files /dev/null and b/unified-secops-platform/media/whats-new/intel-management-navigation.png differ diff --git a/unified-secops-platform/threat-intelligence-overview.md b/unified-secops-platform/threat-intelligence-overview.md new file mode 100644 index 0000000000..685797dfae --- /dev/null +++ b/unified-secops-platform/threat-intelligence-overview.md @@ -0,0 +1,88 @@ +--- +title: Uncover adversaries with threat intelligence in Microsoft's unified SecOps platform +ms.reviewer: +description: Learn about threat intelligence features across Microsoft's unified security operations (SecOps) platform. +search.appverid: met150 +ms.service: unified-secops-platform +ms.author: pauloliveria +author: poliveria +ms.localizationpriority: medium +manager: dolmont +audience: ITPro +ms.collection: +- M365-security-compliance +- tier1 +- usx-security +ms.custom: +- cx-ti +ms.topic: conceptual +ms.date: 01/24/2025 +# customer intent: As a security operations center business decision maker, I want to learn about threat intelligence tools available in Microsoft's unified SecOps platform to help me understand emerging threats affecting organizations like me and how to manage actionable intelligence. +--- + +# Uncover adversaries with threat intelligence in Microsoft's unified SecOps platform + +Uncover and neutralize modern adversaries with threat intelligence in Microsoft’s unified security operations (SecOps) platform. Whether you use Microsoft's threat intelligence or other sources important to your SecOps organization, **Threat intelligence** in the Microsoft Defender portal unifies the tools needed to identify cyberattackers and their infrastructure. + +:::image type="content" source="/unified-secops-platform/media/threat-intel-overview/usx-threat-intel.png" alt-text="Screenshot of Threat intelligence section of the Microsoft Defender portal." lightbox="/unified-secops-platform/media/threat-intel-overview/usx-threat-intel.png"::: + +_Threat intelligence in the Defender portal_ + +The emergence of new cybersecurity threats and threat actors and the continuous evolution of the threat landscape result in an ever-increasing amount of threat intelligence that security operations centers (SOCs) must investigate. This threat intelligence takes many forms—from specific indicators of compromise (IOCs) to reports and analyses—and can come from various sources. Microsoft's unified SecOps platform in the Defender portal consolidates all your threat intelligence in one location so SOCs can assess this intelligence quickly and accurately to make informed decisions. Microsoft's unified SecOps platform in the Defender portal pulls threat intelligence from the following sources: +- Microsoft Defender XDR Threat analytics reports +- Microsoft Defender Threat Intelligence articles and data sets +- Microsoft Sentinel threat intelligence + +## Threat analytics in Microsoft Defender XDR + +**Threat analytics** is the [Microsoft Defender XDR](/defender-xdr/microsoft-365-defender) in-product threat intelligence solution from expert Microsoft security researchers. It's designed to assist security teams to be as efficient as possible while facing emerging threats, such as: +- Active threat actors and their campaigns +- Popular and new attack techniques +- Critical vulnerabilities +- Common attack surfaces +- Prevalent malware + +:::image type="content" source="/unified-secops-platform/media/threat-intel-overview/usx-threat-analytics.png" alt-text="The analyst report section of a threat analytics report" lightbox="/unified-secops-platform/media/threat-intel-overview/usx-threat-analytics.png"::: + +_Analyst report section of a threat analytics report_ + +Each report provides an analysis of a tracked threat and extensive guidance on how to defend against that threat. It also incorporates data from your network, indicating whether the threat is active and if you have applicable protections in place. + +For more information, see [Threat analytics in Microsoft Defender XDR](/defender-xdr/threat-analytics). + +## Microsoft Defender Threat Intelligence + +**Microsoft Defender Threat Intelligence** (Defender TI) helps streamline security analyst triage, incident response, threat hunting, and vulnerability management workflows. Defender TI aggregates and enriches critical threat information in an easy-to-use interface where users can correlate IOCs with related articles, actor profiles, and vulnerabilities. Defender TI also lets analysts collaborate with fellow Defender TI-licensed users within their tenant on investigations. + +You can access Defender TI in the following pages within the **Threat intelligence** navigation menu of the Defender portal: +- **Intel profiles** - Access a comprehensive library of threat actor, tooling, and vulnerability profiles. +- **Intel explorer** - Browse threat intelligence for relevant analyses, artifacts, and indicators. +- **Intel projects** - Manage security artifacts for your entire tenant. + +:::image type="content" source="/unified-secops-platform/media/threat-intel-overview/usx-intel-explorer.png" alt-text="Screenshot of Intel explorer page." lightbox="/unified-secops-platform/media/threat-intel-overview/usx-intel-explorer.png"::: + +_Defender TI's **Intel explorer** page in the Defender portal_ + +For more information, see [What is Microsoft Defender Threat Intelligence?](/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti). + +## Threat intelligence management +**Intel management** is powered by [Microsoft Sentinel](/azure/sentinel/overview) and provides tools to update, search, and create threat intelligence and manage it at scale. + +The most common forms of threat intelligence are threat indicators, or IOCs. Another facet of threat intelligence represents threat actors, their techniques, tactics, and procedures (TTPs), their infrastructure, and their victims. Intel management supports managing all these facets using structured threat information expression (STIX), the open-source standard for exchanging threat intelligence. + +Intel management operationalizes your threat intelligence while Microsoft Sentinel sources it with the following methods of ingestion: +- **Import threat intelligence** into Microsoft Sentinel by enabling data connectors to various threat intelligence platforms, including Microsoft’s own Defender TI. +- **Connect threat intelligence** to Microsoft Sentinel by using the upload API to connect various threat intelligence platforms or custom applications. +- **Create threat intelligence** individually or import using a file from the Intel management interface. + +:::image type="content" source="/unified-secops-platform/media/threat-intel-overview/usx-sentinel-new-stix-object.png" alt-text="Screenshot of Intel management add new STIX object feature." lightbox="/unified-secops-platform/media/threat-intel-overview/usx-sentinel-new-stix-object.png"::: + +_Example of adding a new STIX object in Intel management_ + +For more information, see [Understand threat intelligence in Microsoft Sentinel](/azure/sentinel/understand-threat-intelligence). + +## Related content + +- [Microsoft Defender XDR integration with Microsoft Sentinel](/azure/sentinel/microsoft-365-defender-sentinel-integration) +- [Microsoft Security Copilot in Microsoft Defender Threat Intelligence](/defender/threat-intelligence/security-copilot-and-defender-threat-intelligence) +- [Infrastructure chaining](/defender/threat-intelligence/infrastructure-chaining) diff --git a/unified-secops-platform/whats-new.md b/unified-secops-platform/whats-new.md index c6c46eb2e2..55b2af79f7 100644 --- a/unified-secops-platform/whats-new.md +++ b/unified-secops-platform/whats-new.md @@ -22,13 +22,33 @@ This article lists recent features added into Microsoft's unified SecOps platfor ## January 2025 +- [Unified threat intelligence](#unified-threat-intelligence) - [Manage SecOps work natively with case management (Preview)](#case-management-preview) - [Unified device timeline in Microsoft Defender portal (Preview)](#unified-device-timeline-in-microsoft-defender-portal-preview) - [SOC optimization updates for unified coverage management](#soc-optimization-updates-for-unified-coverage-management) +### Unified threat intelligence + +Microsoft Sentinel-powered threat intelligence has moved in the Defender portal to **Intel management**, unifying threat intelligence features. In the Azure portal, the location remains unchanged. + +:::image type="content" source="media/whats-new/intel-management-navigation.png" alt-text="Screenshot showing new menu placement for Microsoft Sentinel threat intelligence."::: + +Along with the new location, the management interface streamlines the creation and curation of threat intel with these key features: + +- Define relationships as you create new STIX objects. +- Curate existing threat intelligence with the new relationship builder. +- Create multiple objects quickly by copying common metadata from a new or existing TI object with the duplicate feature. +- Use advanced search to sort and filter your threat intelligence objects without even writing a Log Analytics query. + +For more information, see the following articles: + +- [Uncover adversaries with threat intelligence in Microsoft's unified SecOps platform](threat-intelligence-overview.md) +- [New STIX objects in Microsoft Sentinel](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/announcing-public-preview-new-stix-objects-in-microsoft-sentinel/4369164) +- [Understand threat intelligence](/azure/sentinel/understand-threat-intelligence#create-and-manage-threat-intelligence) + ### Case management (Preview) -Case management is the first installment of an end-to-end solution that provides seamless management of your security work. SecOps teams maintain security context, work more efficiently and respond faster to attacks when they manage case work without leaving the Defender portal. Here's the initial set of scenarios and features that CMSK supports. +Case management is the first installment of an end-to-end solution that provides seamless management of your security work. SecOps teams maintain security context, work more efficiently and respond faster to attacks when they manage case work without leaving the Defender portal. Here's the initial set of scenarios and features that case management supports. - Define your own case workflow with custom status values - Assign tasks to collaborators and configure due dates @@ -38,6 +58,7 @@ Case management is the first installment of an end-to-end solution that provides This is just the start. Stay tuned for additional capabilities as we evolve this solution. For more information, see the following articles: + - [Manage cases natively in Microsoft's unified security operations (SecOps) platform](cases-overview.md) - [Microsoft Sentinel blog - Improve SecOps collaboration with case management](https://techcommunity.microsoft.com/blog/MicrosoftSentinelBlog/improve-secops-collaboration-with-case-management/4369044)