rahuljindalmyit.blogspot.com
Open in
urlscan Pro
2a00:1450:4001:800::2001
Public Scan
Submitted URL: https://sendfox.com/trk/click/8kog49wq/qo4evv
Effective URL: https://rahuljindalmyit.blogspot.com/2023/12/create-and-manage-microsoft-defender.html?utm_source=sendfox&utm_medium=email&utm_campai...
Submission: On December 28 via manual from GB — Scanned from GB
Effective URL: https://rahuljindalmyit.blogspot.com/2023/12/create-and-manage-microsoft-defender.html?utm_source=sendfox&utm_medium=email&utm_campai...
Submission: On December 28 via manual from GB — Scanned from GB
Form analysis 1 forms found in the DOM
https://rahuljindalmyit.blogspot.com/search
<form action="https://rahuljindalmyit.blogspot.com/search" target="_top">
<div class="search-input">
<input aria-label="Search this blog" autocomplete="off" name="q" placeholder="Search this blog" value="">
</div>
<input class="search-action flat-button" type="submit" value="Search" disabled="">
</form>Text Content
Skip to main content
SEARCH THIS BLOG
MODERN DEVICE MANAGEMENT
CREATE AND MANAGE MICROSOFT DEFENDER FOR ENDPOINT DEVICE TAGS FOR MACOS
- December 15, 2023
I recently worked on an implementation project for Microsoft Defender for
Endpoint for macOS devices and while I will love to cover all the bells and
whistles involving the setup, for now I will just focus on one particular aspect
of the setup i.e. MDE device tags.
What is an MDE Device Tag anyway?
Tags are used primarily to label and classify devices in an environment. This
helps in making the searching easy and streamlining the designating rules to
specific groups or categories. Device tags support proper mapping of the
network, enabling you to attach different tags to capture context and to enable
dynamic list creation as part of an incident in Defender. Here are some common
uses of device tags -
1. Device Filter - One can be use a filter in the Device inventory view, or to
group devices.
2. RBAC - You can create device groups in Defender using tags for the purpose of
enforcing Role Based Access Control in the Defender Portal.
3. Device Grouping - You can create device groups in Defender using tags for the
purpose of assignments against Web content filtering and Indicators of
Compromise rules.
4. Advanced Hunting - You can leverage tag information in Device info schema in
Advanced hunting in Defender for reporting and inspect events in your network to
locate threat indicators and entities.
How to create MDE device tags?
There are multiple ways of creating a tag.
Manual
The manual method involves creating and assigning the tag directly in the
Defender Portal.
1. Open Microsoft Defender.
2. Navigate to Assets>Devices
3. Click on the particular macOS device and select Manage tags on the top right.
4. Create the tag as shown below.
However, this method is only good if you are dealing with a handful of machines.
That is where the next method is more preferable.
Automated
If you are managing devices using Intune, then you can easily assign tags using
an Intune policy. You can either create a configuration file based on .plist
preferences or just use Settings catalog. Needless to say, the later is going to
be the choice of preference for many.
1. Open Microsoft Intune admin center.
2. Navigate to Devices>macOS>Configuration profiles>Create>Settings Catalog
3. Give a name and search for EDR as shown below.
4. Check Type of tag which will also select Value of tag. Once done, you can
give whatever value you want for the tag. Note: Filtering might not work on tag
names that contain parenthesis or commas so avoid these characters.
5. Assign the profile to a group of devices as normal. Note: It can take up to
18 hours for the tag information to populate so patience is the key.
How & where to verify?
First and foremost, check if the Intune profile is applying correctly.
Secondly, head over to Defender Portal and see if the tag is populating for your
targeted devices or not. You can do this by applying filters.
You can also check for device info in advanced hunting on the Defender Portal.
Run the following query to get the details.
// Get latest information on user/device
DeviceInfo
| where RegistryDeviceTag has "Intune-macOS-DigitalDesign"
Final Thoughts..
Device tags within Microsoft Defender for Endpoint is device tags is a pretty
useful feature which in my opinion get overlooked. This functionality allows
granular level of control over how an organization can manage their devices.
There are other aspects of MDE device tags like RBAC, using API & scripts for
automated method of creation of tags which I haven't covered in this blog.
However, I do intend to cover them in the coming weeks along with creating MDE
device tags for other platforms.
Until next time..
Defender for endpoint Intune macos MDE microsoft intune Tags
* Get link
* Facebook
* Twitter
* Pinterest
* Email
* Other Apps
COMMENTS
POST A COMMENT
POPULAR POSTS FROM THIS BLOG
HOW TO FORCE ESCROWING OF BITLOCKER RECOVERY KEYS USING INTUNE
- June 06, 2021
Every now and then it so happens that BitLocker recovery keys do not escrow in
AAD. The usual culprits are incorrect BitLocker policies and\or the device
hardware configuration failing to meet the minimum requirements. The other
scenario and something I recently experienced is when everything is setup right
and still the recovery key doesn’t escrow in AAD. As I understand, this can
happen if the escrow process got interrupted the first time due to network or
local devices related issues and the process could not resume. To circumvent
this issue, one can simply push a PowerShell script to the devices to force the
escrow of the recovery keys to AAD. Here is a script to do so. try{
$BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive
$KPID="" foreach($KP in $BitlockerVol.KeyProtector){
if($KP.KeyProtectorType -eq "RecoveryPassword"){
$KPID=$KP.KeyProtectorId break; } }
$o
Read more
INTUNE: CONFIGURE PRINTERS FOR NON-ADMINISTRATIVE USERS
- January 04, 2021
Configuring printers for end users or giving them the ability to do it
themselves is a normal requirement for organizations. Now if your users are
Administrators, then the configuration can be straight forward, but in case of
Non-Administrators there are additional steps required as Non-Administrators
will not be able to add a driver in the driver store despite being able to
install a printer. In this blog, I will cover the steps that I took to address
this requirement using Intune. The setup involves 2 steps - 1. Setup
registries. 2. Install the driver and configure the printer Setting up
registries – The registries that need to be configured are actually part of a
GPO setting – Allow non-administrators to install drivers for these device setup
classes It can be found under: Computer Configuration -> Policies ->
Administrative Templates -> System -> Driver Installation I used a Powershell
script to set the values and wrapped it in a Win32 application. $Path1
Read more
HOW TO WHITELIST APPS USING APPLOCKER IN INTUNE
- January 29, 2021
Windows AppLocker is a technology that has been around since Windows 7 days. In
enterprise environments, it is typically configured via Group Policy, however
one can leverage the XML it creates to easily build your own custom policies
that perform many of the same tasks with Microsoft Intune. The only thing that
one needs to be mindful of is whether you want to Deny or Allow access to a list
of executables. Each of the methods have their own advantages and disadvantages,
but with Allow (Whitelisting), one needs to apply extra caution as it can result
in breaking of the system and cause all sort of functionality issues. I
implemented a whitelist applocker policy in 2020, but never blogged about it so
this is coming straight out of the archives. What all is involved? Identify a
list of apps that you want to Whitelist in the XML. Model the policy that you
want to implement using AppLocker in Group Policy Editor and export the XML. Use
the XML to create a custom Windows 10 Device Co
Read more
Powered by Blogger
Theme images by Bim
Rahul Jindal
Rahul is an IT Professional with over 17+ years of rich IT experience. He is a
Microsoft MVP in Enterprise Mobility and an Ex MVP in Security. He is currently
working with Ergo Group as a Senior Consultant and specializes in Microsoft
Intune, Configuration Manager and Cloud Security. He is a community expert in
Microsoft Learn, Techcommunity and also an avid blogger covering various areas
of Modern Device Management.
Visit profile
ARCHIVE
* 2023 30
* December 2
* New Microsoft Defender app and bulk tagging for iO...
* Create and manage Microsoft Defender for Endpoint ...
* November 2
* October 3
* September 4
* August 3
* July 1
* June 4
* May 3
* April 3
* February 3
* January 2
* 2022 42
* November 2
* October 1
* September 4
* August 3
* July 4
* June 1
* May 3
* April 6
* March 7
* February 7
* January 4
* 2021 39
* December 1
* November 2
* October 3
* September 6
* August 5
* July 5
* June 3
* May 3
* April 3
* March 2
* February 2
* January 4
* 2020 10
* December 3
* November 4
* October 1
* July 2
* 2019 4
* November 1
* October 1
* March 2
Show more Show less
LABELS
* 7-zip
* Account Protection
* additional context
* admin portal
* Administrative templates
* Administrative Unit
* admx
* Android
* APP
* App Configuration
* Apple
* Application guard
* Applocker
* ASR
* Attack Surface Reduction
* audit logs
* authentication context
* authenticator lite
* Autopilot
* Azure
* Azure AD
* Azure Ad authentication methods
* Azure Ad dynamic groups
* Azure Azure AD
* Azure Blob
* azure sign-in
* Baseline
* Bitlocker
* Browser
* Browser extensions
* Browser settings
* byod
* Catalog
* CB
* Certificate
* Citrix
* Cloud Management Gateway
* CloudProtection
* CMG
* CMPivot
* Co-management
* Company Portal
* Compliance
* Compliance Settings
* Conditional Access
* Condtional Access
* ConfigMgr
* ConfigMgr CB 1902
* Controlled Folder Access
* CSP
* csv
* Current Branch
* Custom Office Templates
* Custom Role
* Customizations
* CVE-2022-29072
* Defender ATP
* Defender for endpoint
* dem
* Desktop icons
* Device Actions
* device administrator
* device enrollment
* device enrollment managers
* Device Policy Controller
* DPC
* Edge
* EDR
* Endpoint Analytics
* Endpoint Security
* Enterprise Application
* Entra
* entra id
* ESP
* Exchange online
* filter for devices
* Filters
* Firewall
* fraud
* Google
* Google Chrome
* GPO
* gps coordinates
* group policy analytics
* HWHashID
* hyper-v
* Identity Access
* identity governance
* Identity Protection
* IEMode
* Indicators
* Inplace Upgrade
* Internet Explorer
* Intune
* iOS
* jit
* json
* Known Folder Move
* LAPS
* Lenovo
* local groups
* LocalAdminAccount
* macos
* Macro
* MAM
* MDE
* MDM
* MDT
* MEM
* MEMCM
* Mempowered
* mfa
* mfa fatigue
* microsoft 365 admin portal
* Microsoft 365 Apps
* microsoft authenticator
* microsoft entra id
* Microsoft GraphAPI
* microsoft intune
* Microsoft Store
* MS15-011
* multifactor
* named location
* NAT
* NetworkProtection
* nudge
* number matching
* OEM
* Office
* OMA-URI
* OneDrive
* outook mobile
* password protection
* passwordless
* Patching
* PGP
* Phishing
* phishing resistant
* pim
* Powershell
* preprovisioning
* Printers
* Privileged Identity Management
* Proactive Remediation Scripts
* protected actions
* PXE
* ransomware
* RBAC
* RDS
* registration campaign
* Resource Groups
* Safe Browsing
* SCCM
* Schedule Tasks
* Security
* Servicing Profiles
* Settings
* Settings Catalog
* sign-in frequency
* smart lockout
* SmartScreen
* SMB Signing
* Software Update Point
* sophos
* SPN
* SQL
* SSPR
* SSRS
* Start menu
* SUP
* Symantec
* Symantec Encryption Desktop
* Tags
* TAP
* Temporary Access Pass
* Tenant attach
* Update Ring
* Url shortcuts
* USB
* VBS
* Vulnerabilities
* WaaS
* WDS
* web clip
* Web Content Filtering
* WHfB
* whiteglove
* Whitelist
* Win32
* Windows 10
* Windows 11
* Windows Autopilot
* Windows Defender
* Windows Hello for Business
* Windows LAPS
* Windows365
* Windows365CloudPC
* winget
* XML
Show more Show less
This site uses cookies from Google to deliver its services and to analyse
traffic. Your IP address and user agent are shared with Google, together with
performance and security metrics, to ensure quality of service, generate usage
statistics and to detect and address abuse.Learn moreOk