Get Anti-virus definition status of mac clients running Microsoft Windows Defender ATP, using Microsoft Endpoint Manager
A quick Intro:
Our customer is a cloud-native start-up with few hundred users, with Windows 10, and Mac (Catalina, Big Sur)
Since it’s a cloud-native start-up we had have Microsoft Endpoint Manager for systems manager, bunch of Office 365 apps, some third-party SaaS and Microsoft Defender ATP as their Anti-malware solution on their workstations**.**
What do we want:
Just like anyone else, we would like to have a healthy, secure workstations for our users. As everybody knows, having an AV with outdated signatures (some AV vendors call it as DAT Status, some call it as definition update) is almost equivalent to running a workstation with NO AV.
So, our customer would like to have a closer look on the different workstations’ health in terms of Anti-malware’s health, the last time AV signatures got updated, which can be used for compliance reporting and(or) troubleshooting or isolating machines which has issues with anti-malware solution.
What is the problem we faced?
As I mentioned previously, our customers they had both Windows 10, and Mac clients reporting to Endpoint manager.
With Microsoft Defender ATP, it was very easy to get the definition status for Windows, but it was not possible to get it for Mac OS.
Yes, it is a product limitation (at the time of writing this article) that, there is NO out-of-the-box feature in MS Defender ATP (either in GUI or using an API) which will allow admins to ‘query’ and get the definition status of MAC OS Workstations – which we confirmed with Microsoft Product Support for Defender ATP.
MS Endpoint Manager to rescue:
As we were exploring the different options, I came across a feature in MS-EPM called ‘Custom Attribute profiles’
Little overview about this feature: This feature is meant to allow any admins to run any arbitrary shell script on target mac machines and collect the results. MS EPM will run this script every 8 hours and show the results in the console
More information about this feature can be found here --> /en-us/mem/intune/apps/macos-shell-scripts
Breadcrumb trail here --> https://endpoint.microsoft.com/ --> ‘Devices’ --> ‘Mac OS’ --> ‘Custom Attributes’ under ‘MacOS Policies’
Apart from this, there is a command-line utility called ‘mdatp’ which gets installed on MacOS along with MS Defender ATP, which can be used for various purposes for updating, Troubleshooting, or querying the product’s information.
More info about the MDATP command can be found here --> /en-us/windows/security/threat-protection/microsoft-defender-atp/mac-resources
Final words:
Lets put the pieces together - The work-around could be to let a very simple shell script to query the definition status print in local terminal – which will be picked up by ‘Custom Attributes Profiles’ and reported back in the console.
Here are the steps to perform this:
Create a simple shell script which would look like below
#!/bin/sh /usr/local/bin/mdatp health --field definitions_updated
2. Save it as ‘somename.sh’ --> this will have to be uploaded while creating ‘Custom Attributes profile’
3. Create a ‘Custom Attributes Profile’ with data type of ‘String'
4. Here is the sample screenshot of the profile from my lab.
5. Apply this to all mac machines where you’d like to get status from.
Note: You may wanted to include the full path of MDATP command line tool, as intune expects. WHERE command can be used to verify the full path of your MDATP command line utility
Sample Output:
If everything goes well, you would see a similar screen as below.