Created
September 13, 2022 13:20
-
-
Save rtrouton/7251c58dafbcc30c07a6b03357a6d4cc to your computer and use it in GitHub Desktop.
Jamf Pro Extension Attribute which detects and reports on Microsoft Defender's tamper protection status
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Check to see if Microsoft Defender's tamper protection is enabled. | |
# This Jamf Pro Extension Attribute will return one of four statuses | |
# | |
# 000 = The /usr/local/bin/mdatp command-line tool cannot be found or is not executable. | |
# 001 = Tamper protection is fully disabled. | |
# 010 = Tamper protection is set to audit mode. | |
# 100 = Tamper protection is fully enabled. | |
mdatpPath="/usr/local/bin/mdatp" | |
# Set default result for the Extension Attribute to be the following: | |
# | |
# 000 = The /usr/local/bin/mdatp command-line tool cannot be found or is not executable. | |
eaResult="000" | |
# Verify that the following tool is installed and executable: | |
# | |
# /usr/local/bin/mdatp | |
if [[ -x "$mdatpPath" ]]; then | |
# If the mdatp tool is installed, Defender's tamper protection | |
# status is checked by running the following command: | |
# | |
# /usr/local/bin/mdatp" health --field tamper_protection | |
# | |
# There are three possible keywords that can be returned by this command: | |
# | |
# disabled - tamper protection is completely off. | |
# audit - tampering operations are logged, but not blocked. | |
# block - tamper protection is on, tampering operations are blocked. | |
tamper_protection_enabled="$("$mdatpPath" health --field tamper_protection | awk -F'"' '{print $2}')" | |
if [[ "$tamper_protection_enabled" = "disabled" ]]; then | |
eaResult="001" | |
elif [[ "$tamper_protection_enabled" = "audit" ]]; then | |
eaResult="010" | |
elif [[ "$tamper_protection_enabled" = "block" ]]; then | |
eaResult="100" | |
fi | |
fi | |
echo "<result>$eaResult</result>" | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment