Home > Jamf Pro, Scripting > Microsoft Defender tamper protection status detection for Jamf Pro

Microsoft Defender tamper protection status detection for Jamf Pro

As a follow-up to my earlier post about working with Microsoft Defender’s tamper protection, I’ve written an Extension Attribute for Jamf Pro which detects and reports on Defender’s tamper protection status. For more details, please see below the jump.

The Extension Attribute uses Defender’s mdatp command line tool to report on Defender’s tamper protection status. Once the mdatp tool is verified to be installed and executable, it’s used to check the tamper protection status. The EA will return one of the following values:

  • 000
  • 001
  • 010
  • 100

The returned values indicate the following:

  • 000 = The /usr/local/bin/mdatp command-line tool cannot be found or is not executable.
  • 001 = Tamper protection is fully disabled.
  • 010 = Tamper protection is set to audit mode.
  • 100 = Tamper protection is fully enabled.

The Extension Attribute is available below. It’s also available from GitHub using the following link:

https://github.com/rtrouton/rtrouton_scripts/blob/main/rtrouton_scripts/Casper_Extension_Attributes/check_microsoft_defender_tamper_protection_status


#!/bin/bash
# Check to see if Microsoft Defender's tamper protection is enabled.
# This Jamf Pro Extension Attribute will return one of four statuses
#
# 000 = The /usr/local/bin/mdatp command-line tool cannot be found or is not executable.
# 001 = Tamper protection is fully disabled.
# 010 = Tamper protection is set to audit mode.
# 100 = Tamper protection is fully enabled.
mdatpPath="/usr/local/bin/mdatp"
# Set default result for the Extension Attribute to be the following:
#
# 000 = The /usr/local/bin/mdatp command-line tool cannot be found or is not executable.
eaResult="000"
# Verify that the following tool is installed and executable:
#
# /usr/local/bin/mdatp
if [[ -x "$mdatpPath" ]]; then
# If the mdatp tool is installed, Defender's tamper protection
# status is checked by running the following command:
#
# /usr/local/bin/mdatp" health –field tamper_protection
#
# There are three possible keywords that can be returned by this command:
#
# disabled – tamper protection is completely off.
# audit – tampering operations are logged, but not blocked.
# block – tamper protection is on, tampering operations are blocked.
tamper_protection_enabled="$("$mdatpPath" health –field tamper_protection | awk -F'"' '{print $2}')"
if [[ "$tamper_protection_enabled" = "disabled" ]]; then
eaResult="001"
elif [[ "$tamper_protection_enabled" = "audit" ]]; then
eaResult="010"
elif [[ "$tamper_protection_enabled" = "block" ]]; then
eaResult="100"
fi
fi
echo "<result>$eaResult</result>"
exit 0

view raw

gistfile1.txt

hosted with ❤ by GitHub

Categories: Jamf Pro, Scripting
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: