Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Jamf Pro Extension Attribute which detects and reports on Microsoft Defender's tamper protection status
# Check to see if Microsoft Defender's tamper protection is enabled.
# This Jamf Pro Extension Attribute will return one of four statuses
# 000 = The /usr/local/bin/mdatp command-line tool cannot be found or is not executable.
# 001 = Tamper protection is fully disabled.
# 010 = Tamper protection is set to audit mode.
# 100 = Tamper protection is fully enabled.
# Set default result for the Extension Attribute to be the following:
# 000 = The /usr/local/bin/mdatp command-line tool cannot be found or is not executable.
# Verify that the following tool is installed and executable:
# /usr/local/bin/mdatp
if [[ -x "$mdatpPath" ]]; then
# If the mdatp tool is installed, Defender's tamper protection
# status is checked by running the following command:
# /usr/local/bin/mdatp" health --field tamper_protection
# There are three possible keywords that can be returned by this command:
# disabled - tamper protection is completely off.
# audit - tampering operations are logged, but not blocked.
# block - tamper protection is on, tampering operations are blocked.
tamper_protection_enabled="$("$mdatpPath" health --field tamper_protection | awk -F'"' '{print $2}')"
if [[ "$tamper_protection_enabled" = "disabled" ]]; then
elif [[ "$tamper_protection_enabled" = "audit" ]]; then
elif [[ "$tamper_protection_enabled" = "block" ]]; then
echo "<result>$eaResult</result>"
exit 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment