Piplup Does A Thing Mac OS

-->

Applies to:

Piplup Does A Thing Mac OS

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

An operating system is a fuel that is required to run your computer at your convenience. There are many OS out there that make it possible. Choose the best operating system that suits your needs and comfort. If you are looking for personal use like gaming and browsing, then Windows is perfect for you. Aug 15, 2013 - Explore Kayla Oconnor's board 'Piplup' on Pinterest. See more ideas about piplup, pokemon, water type pokemon.

This topic describes how to install, configure, update, and use Defender for Endpoint on Mac.

Caution

Running other third-party endpoint protection products alongside Microsoft Defender for Endpoint on Mac is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of Defender for Endpoint on Mac EDR functionality after configuring the antivirus functionality to run in Passive mode.

What’s new in the latest release

Tip

If you have any feedback that you would like to share, submit it by opening Microsoft Defender for Endpoint on Mac on your device and navigating to Help > Send feedback.

To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac devices), configure your macOS device running Microsoft Defender for Endpoint to be an 'Insider' device.

How to install Microsoft Defender for Endpoint on Mac

Prerequisites

  • A Defender for Endpoint subscription and access to the Microsoft Defender Security Center portal
  • Beginner-level experience in macOS and BASH scripting
  • Administrative privileges on the device (in case of manual deployment)

Installation instructions

There are several methods and deployment tools that you can use to install and configure Defender for Endpoint on Mac.

  • Third-party management tools:

  • Command-line tool:

System requirements

The three most recent major releases of macOS are supported.

Important Free game wizard of oz.

On macOS 11 (Big Sur), Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on New configuration profiles for macOS Catalina and newer versions of macOS.

Important

Support for macOS 10.13 (High Sierra) has been discontinued as of February 15th, 2021.

  • 11 (Big Sur), 10.15 (Catalina), 10.14 (Mojave)
  • Disk space: 1GB

Beta versions of macOS are not supported.

macOS devices with M1 processors are not supported.

After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.

Licensing requirements

Microsoft Defender for Endpoint on Mac requires one of the following Microsoft Volume Licensing offers:

  • Microsoft 365 E5 (M365 E5)
  • Microsoft 365 E5 Security
  • Microsoft 365 A5 (M365 A5)

Note

Eligible licensed users may use Microsoft Defender for Endpoint on up to five concurrent devices.Microsoft Defender for Endpoint is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it does not require Microsoft Volume Licensing offers listed.

Network connections

The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an allow rule specifically for them.

Spreadsheet of domains listDescription

Spreadsheet of specific DNS records for service locations, geographic locations, and OS.
Download the spreadsheet here: mdatp-urls.xlsx.

Microsoft Defender for Endpoint can discover a proxy server by using the following discovery methods:

  • Proxy autoconfig (PAC)
  • Web Proxy Autodiscovery Protocol (WPAD)
  • Manual static proxy configuration

If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs.

Warning

Authenticated proxies are not supported. Ensure that only PAC, WPAD, or a static proxy is being used.

SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender for Endpoint on macOS to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.

To test that a connection is not blocked, open https://x.cp.wd.microsoft.com/api/report and https://cdn.x.cp.wd.microsoft.com/ping in a browser.

If you prefer the command line, you can also check the connection by running the following command in Terminal:

The output from this command should be similar to the following:

OK https://x.cp.wd.microsoft.com/api/report

OK https://cdn.x.cp.wd.microsoft.com/ping

Caution

We recommend that you keep System Integrity Protection (SIP) enabled on client devices. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default.

Once Microsoft Defender for Endpoint is installed, connectivity can be validated by running the following command in Terminal:

How to update Microsoft Defender for Endpoint on Mac

Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender for Endpoint on Mac, a program named Microsoft AutoUpdate (MAU) is used. To learn more, see Deploy updates for Microsoft Defender for Endpoint on Mac.

How to configure Microsoft Defender for Endpoint on Mac

Guidance for how to configure the product in enterprise environments is available in Set preferences for Microsoft Defender for Endpoint on Mac.

macOS kernel and system extensions

In alignment with macOS evolution, we are preparing a Microsoft Defender for Endpoint on Mac update that leverages system extensions instead of kernel extensions. For relevant details, see What's new in Microsoft Defender for Endpoint on Mac.

Resources

  • For more information about logging, uninstalling, or other topics, see Resources for Microsoft Defender for Endpoint on Mac.

  • Privacy for Microsoft Defender for Endpoint on Mac.

-->

Use shell scripts to extend device management capabilities in Intune, beyond what is supported by the macOS operating system.

Note

Rosetta 2 is required to run x64 (Intel) version of apps on Apple Silicon Macs. To install Rosetta 2 on Apple Silicon Macs automatically, you can deploy a shell script in Endpoint Manager. To view a sample script, see Rosetta 2 Installation Script.

Prerequisites

Ensure that the following prerequisites are met when composing shell scripts and assigning them to macOS devices.

  • Devices are running macOS 10.13 or later.
  • Devices are managed by Intune.
  • Shell scripts begin with #! and must be in a valid location such as #!/bin/sh or #!/usr/bin/env zsh.
  • Command-line interpreters for the applicable shells are installed.

Important considerations before using shell scripts

  • Shell scripts require that the Microsoft Intune management agent is successfully installed on the macOS device. For more information, see Microsoft Intune management agent for macOS.
  • Shell scripts run in parallel on devices as separate processes.
  • Shell scripts that are run as the signed-in user will run for all currently signed-in user accounts on the device at the time of the run.
  • An end user is required to sign in to the device to execute scripts running as a signed-in user.
  • Root user privileges are required if the script requires making changes that a standard user account cannot.
  • Shell scripts will attempt to run more frequently than the chosen script frequency for certain conditions, such as if the disk is full, if the storage location is tampered with, if the local cache is deleted, or if the Mac device restarts.

Create and assign a shell script policy

  1. Sign in to the Microsoft Endpoint Manager Admin Center.

  2. Select Devices > macOS > Scripts > Add.

  3. In Basics, enter the following properties, and select Next:

    • Name: Enter a name for the shell script.
    • Description: Enter a description for the shell script. This setting is optional, but recommended.
  4. In Script settings, enter the following properties, and select Next:

    • Upload script: Browse to the shell script. The script file must be less than 200 KB in size.
    • Run script as signed-in user: Select Yes to run the script with the user's credentials on the device. Choose No (default) to run the script as the root user.
    • Hide script notifications on devices: By default, script notifications are shown for each script that is run. End users see a IT is configuring your computer notification from Intune on macOS devices.
    • Script frequency: Select how often the script is to be run. Choose Not configured (default) to run a script only once.
    • Max number of times to retry if script fails: Select how many times the script should be run if it returns a non-zero exit code (zero meaning success). Choose Not configured (default) to not retry when a script fails.
  5. In Scope tags, optionally add scope tags for the script, and select Next. You can use scope tags to determine who can see scripts in Intune. For full details about scope tags, see Use role-based access control and scope tags for distributed IT.

  6. Select Assignments > Select groups to include. An existing list of Azure AD groups is shown. Select one or more user or device groups that are to receive the script. Choose Select. The groups you choose are shown in the list, and will receive your script policy.

    Note

    • Shell scripts assigned to user groups applies to any user logging in to the Mac.
    • Updating assignments for shell scripts also updates assignments for Microsoft Intune MDM Agent for macOS.
  7. In Review + add, a summary is shown of the settings you configured. Select Add to save the script. When you select Add, the script policy is deployed to the groups you chose.

The script you created now appears in the list of scripts.

Monitor a shell script policy

You can monitor the run status of all assigned scripts for users and devices by choosing one of the following reports:

  • Scripts > select the script to monitor > Device status
  • Scripts > select the script to monitor > User status

Important

Irrespective of the selected Script frequency, the script run status is reported only the first time a script is run. Script run status is not updated on subsequent runs. However, updated scripts are treated as new scripts and will report the run status again.

Once a script runs, it returns one of the following statuses:

  • A script run status of Failed indicates that the script returned a non-zero exit code or the script is malformed.
  • A script run status of Success indicated that the script returned zero as the exit code.
Thing

Troubleshoot macOS shell script policies using log collection

You can collect device logs to help troubleshoot script issues on macOS devices.

Requirements for log collection

The following items are required to collect logs on a macOS device:

  • You must specify the full absolute log file path.
  • File paths must be separated using only a semicolon (;).
  • The maximum log collection size to upload is 60 MB (compressed) or 25 files, whichever occurs first.
  • File types that are allowed for log collection include the following extensions: .log, .zip, .gz, .tar, .txt, .xml, .crash, .rtf

Collect device logs

  1. Sign in to the Microsoft Endpoint Manager admin center.

  2. In Device status or User status report, select a device.

  3. Select Collect logs, provide folder paths of log files separated only by a semicolon (;) without spaces or newlines in between paths.
    For example, multiple paths should be written as /Path/to/logfile1.zip;/Path/to/logfile2.log.

    Important

    Multiple log file paths separated using comma, period, newline or quotation marks with or without spaces will result in log collection error. Spaces are also not allowed as separators between paths.

  4. Select OK. Logs are collected the next time the Intune management agent on the device checks in with Intune. This check-in usually occurs every 8 hours.

    Note

    • Collected logs are encrypted on the device, transmitted and stored in Microsoft Azure storage for 30 days. Stored logs are decrypted on demand and downloaded using Microsoft Endpoint Manager admin center.
    • In addition to the admin-specified logs, the Intune management agent logs are also collected from these folders: /Library/Logs/Microsoft/Intune and ~/Library/Logs/Microsoft/Intune. The agent log file-names are IntuneMDMDaemon date--time.log and IntuneMDMAgent date--time.log.
    • If any admin-specified file is missing or has the wrong file-extension, you will find these file-names listed in LogCollectionInfo.txt.

Log collection errors

Log collection may not be successful due to any of the following reasons provided in the table below. To resolve these errors, follow the remediation steps.

Error code (hex)Error code (dec)Error messageRemediation steps
0X87D300D12016214834Log file size cannot exceed 60 MB.Ensure that compressed logs are less than 60 MB in size.
0X87D300D12016214831The provided log file path must exist. The system user folder is an invalid location for log files.Ensure that the provided file path is valid and accessible.
0X87D300D22016214830Log collection file upload failed due to expiration of upload URL.Retry the Collect logs action.
0X87D300D3, 0X87D300D5, 0X87D300D72016214829, 2016214827, 2016214825Log collection file upload failed due to encryption failure. Retry log upload.Retry the Collect logs action.
2016214828The number of log files exceeded the allowed limit of 25 files.Only up to 25 log files can be collected at a time.
0X87D300D62016214826Log collection file upload failed due to zip error. Retry log upload.Retry the Collect logs action.
2016214740The logs couldn't be encrypted as compressed logs were not found.Retry the Collect logs action.
2016214739The logs were collected but couldn't be stored.Retry the Collect logs action.

Custom attributes for macOS

You can create custom attribute profiles which enable you to collect custom properties from managed macOS device using shell scripts.

Create and assign a custom attribute for macOS devices

  1. Sign in to the Microsoft Endpoint Manager Admin Center.

  2. Select Devices > macOS > Custom attributes > Add.

  3. In Basics, enter the following properties, and select Next:

    • Name: Enter a name for the script.
    • Description: Enter a description for the script. This setting is optional, but recommended.
  4. In Attribute settings, enter the following properties, and select Next:

    • Data type of attribute: Select the data type of the result that the script returns. Available values are String, Integer, and Date.
    • Script: Select a script file.

    Additional details:

    • The shell script must echo the attribute to be reported and the data type of the output must match the data type of attribute in the custom attribute profile.
    • The result returned by the shell script must be 20KB or less.

    Note

    When using Date type attributes, ensure that the shell script returns dates in ISO-8601 format. See the examples below.

    To print an ISO-8601-compliant date with time-zone:

    To print an ISO-8601-compliant date in UTC time:

  5. In Assignments, click Select groups to include. When you choose Select groups to include an existing list of Azure AD groups is shown. Select one or more user or device groups that are to receive the script. Choose Select. The groups you choose are shown in the list, and will receive your script policy. Alternatively, you can choose to select All users, All devices, or All users and all devices by selecting one of these options in the dropdown box next to Assign to.

    Note

    • Scripts assigned to user groups applies to any user logging in to the Mac.
  6. In Review + add, a summary is shown of the settings you configured. Select Add to save the script. When you select Add, the script policy is deployed to the groups you chose.

The script you created now appears in the list of custom attributes.

Monitor a custom attribute policy

You can monitor the run status of all assigned custom attribute profiles for users and devices by choosing one of the following reports:

  • Custom attributes > select the custom attribute profile to monitor > Device status
  • Custom attributes > select the custom attribute profile to monitor > User status

Important

Shell scripts provided in custom attribute profiles are run every 8 hours on managed Macs and reported.

Once a custom attribute profile runs, it returns one of the following statuses:

  • A status of Failed indicates that the script returned a non-zero exit code or the script is malformed. The error is reported in the Result column.
  • As status of Success indicates that the script returned zero as the exit code. The output echoed by the script is reported in the Result column.

Frequently asked questions

Why are assigned shell scripts not running on the device?

There could be several reasons:

  • The agent might need to check-in to receive new or updated scripts. This check-in process occurs every 8 hours and is different from the MDM check-in. Make sure that the device is awake and connected to a network for a successful agent check-in and wait for the agent to check-in. You can also request the end-user to open Company Portal on the Mac, select the device and click Check settings.
  • The agent may not be installed. Check that the agent is installed at /Library/Intune/Microsoft Intune Agent.app on the macOS device.
  • The agent may not be in a healthy state. The agent will attempt to recover for 24 hours, remove itself and reinstall if shell scripts are still assigned.

How frequently is script run status reported?

Script run status is reported to Microsoft Endpoint Manager Admin Console as soon as script run is complete. Amg 2 mac os. If a script is scheduled to run periodically at a set frequency, it only reports status the first time it runs.

When are shell scripts run again?

A script is run again only when the Max number of times to retry if script fails setting is configured and the script fails on run. If the Max number of times to retry if script fails is not configured and a script fails on run, it will not be run again and run status will be reported as failed.

What Intune role permissions are required for shell scripts?

Your assigned-intune role requires Device configurations permissions to delete, assign, create, update, or read shell scripts.

Microsoft Intune management agent for macOS

Why is the agent required?

The Microsoft Intune management agent is necessary to be installed on managed macOS devices in order to enable advanced device management capabilities that are not supported by the native macOS operating system.

How is the agent installed?

The agent is automatically and silently installed on Intune-managed macOS devices that you assign at least one shell script to in Microsoft Endpoint Manager Admin Center. The agent is installed at /Library/Intune/Microsoft Intune Agent.app when applicable and doesn't appear in Finder > Applications on macOS devices. The agent appears as IntuneMdmAgent in Activity Monitor when running on macOS devices.

See More Results

What does the agent do?

  • The agent silently authenticates with Intune services before checking in to receive assigned shell scripts for the macOS device.
  • The agent receives assigned shell scripts and runs the scripts based on the configured schedule, retry attempts, notification settings, and other settings set by the admin.
  • The agent checks for new or updated scripts with Intune services usually every 8 hours. This check-in process is independent of the MDM check-in.

How can I manually initiate an agent check-in from a Mac?

On a managed Mac that has the agent installed, open Company Portal, select the local device, click on Check settings. This initiates an MDM check-in as well as an agent check-in.

Alternatively, open Terminal, run the sudo killall IntuneMdmAgent command to terminate the IntuneMdmAgent process. The IntuneMdmAgent process will restart immediately, which will initiate a check-in with Intune.

Note

The Sync action for devices in Microsoft Endpoint Manager Admin Console initiates an MDM check-in and does not force an agent check-in.

When is the agent removed?

There are several conditions that can cause the agent to be removed from the device such as:

  • Shell scripts are no longer assigned to the device.
  • The macOS device is no longer managed.
  • The agent is in an irrecoverable state for more than 24 hours (device-awake time).

Why are scripts running even though the Mac is no longer managed?

When a Mac with assigned scripts is no longer managed, the agent is not removed immediately. The agent detects that the Mac is not managed at the next agent check-in (usually every 8 hours) and cancels scheduled script-runs. So, any locally stored scripts scheduled to run more frequently than the next scheduled agent check-in will run. When the agent is unable to check-in, it retries checking in for up to 24 hours (device-awake time) and then removes itself from the Mac.

Cached

How to turn off usage data sent to Microsoft for shell scripts?

To turn off usage data sent to Microsoft from the Intune management agent, open Company Portal and select Menu > Preferences > uncheck 'allow Microsoft to collect usage data'. This will turn off usage data sent for both the agent and Company Portal.

Any Way To Use A Mac Without ICloud ? - Apple Community

Known issues

  • No script run status: In the unlikely event that a script is received on the device and the device goes offline before the run status is reported, the device will not report run status for the script in the admin console.

Additional information

When you deploy shell scripts or custom attributes for macOS devices from Microsoft Endpoint Manager, it deploys the new universal version of the Intune management agent app that runs natively on Apple Silicon Mac machines. The same deployment will install the x64 version of the app on Intel Mac machines. Rosetta 2 is required to run x64 (Intel) version of apps on Apple Silicon Macs. To install Rosetta 2 on Apple Silicon Macs automatically, you can deploy a shell script in Endpoint Manager. To view a sample script, see Rosetta 2 Installation Script.

Mac Goes Straight To OS X Utilities. Plea… - Apple Community

Next steps