Microsoft Defender tamper protection status detection for Jamf Pro
As a follow-up to my earlier post about working with Microsoft Defender’s tamper protection, I’ve written an Extension Attribute for Jamf Pro which detects and reports on Defender’s tamper protection status. For more details, please see below the jump.
The Extension Attribute uses Defender’s mdatp command line tool to report on Defender’s tamper protection status. Once the mdatp tool is verified to be installed and executable, it’s used to check the tamper protection status. The EA will return one of the following values:
- 000
- 001
- 010
- 100
The returned values indicate the following:
- 000 = The /usr/local/bin/mdatp command-line tool cannot be found or is not executable.
- 001 = Tamper protection is fully disabled.
- 010 = Tamper protection is set to audit mode.
- 100 = Tamper protection is fully enabled.
The Extension Attribute is available below. It’s also available from GitHub using the following link:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Check to see if Microsoft Defender's tamper protection is enabled. | |
| # This Jamf Pro Extension Attribute will return one of four statuses | |
| # | |
| # 000 = The /usr/local/bin/mdatp command-line tool cannot be found or is not executable. | |
| # 001 = Tamper protection is fully disabled. | |
| # 010 = Tamper protection is set to audit mode. | |
| # 100 = Tamper protection is fully enabled. | |
| mdatpPath="/usr/local/bin/mdatp" | |
| # Set default result for the Extension Attribute to be the following: | |
| # | |
| # 000 = The /usr/local/bin/mdatp command-line tool cannot be found or is not executable. | |
| eaResult="000" | |
| # Verify that the following tool is installed and executable: | |
| # | |
| # /usr/local/bin/mdatp | |
| if [[ -x "$mdatpPath" ]]; then | |
| # If the mdatp tool is installed, Defender's tamper protection | |
| # status is checked by running the following command: | |
| # | |
| # /usr/local/bin/mdatp" health –field tamper_protection | |
| # | |
| # There are three possible keywords that can be returned by this command: | |
| # | |
| # disabled – tamper protection is completely off. | |
| # audit – tampering operations are logged, but not blocked. | |
| # block – tamper protection is on, tampering operations are blocked. | |
| tamper_protection_enabled="$("$mdatpPath" health –field tamper_protection | awk -F'"' '{print $2}')" | |
| if [[ "$tamper_protection_enabled" = "disabled" ]]; then | |
| eaResult="001" | |
| elif [[ "$tamper_protection_enabled" = "audit" ]]; then | |
| eaResult="010" | |
| elif [[ "$tamper_protection_enabled" = "block" ]]; then | |
| eaResult="100" | |
| fi | |
| fi | |
| echo "<result>$eaResult</result>" | |
| exit 0 |
Comments (0)
Leave a comment
Der Flounder 
Recent Comments