Managing Macs for multiple companies gives us the opportunity to work in various environment and detect issues where it occurs first & then implement a solution for all others at the same time.
Recently there was a requirement to find if there are MDD instances running on Macs that have issues. We found a couple of scripts that claimed to do the job but one or the other bit was missing in all of those. So, we had to resort to what Microsft suggests – use mdatp binary that comes with the MDD installer.
BitSysTechnologies.com >> mdatp health healthy : false health_issues : ["full disk access has not been granted"] licensed : true engine_version : "1.2.16600.3" app_version : "101.97.30" org_id : "bitsys-technologies-ab-sweden" log_level : "info" machine_guid : "14771-popo-1432-iioo-100a200b300c" release_ring : "Production" product_expiration : Apr 25, 2025 at 00:00:01 AM cloud_enabled : true cloud_automatic_sample_submission_consent : "safe" cloud_diagnostic_enabled : true passive_mode_enabled : true real_time_protection_enabled : true real_time_protection_available : true real_time_protection_subsystem : "endpoint_security_extension" network_events_subsystem : "network_filter_extension" device_control_enforcement_level : "audit" tamper_protection : "audit" automatic_definition_update_enabled : true definitions_updated : Nov 24, 2022 at 09:37:56 PM definitions_updated_minutes_ago : 13 definitions_version : "1.379.884.0" definitions_status : "up_to_date" edr_early_preview_enabled : "enabled" edr_device_tags :  edr_group_ids : "" edr_configuration_version : "20.199999.main.2022.11.17.07-3577429fa2e8bcc5249db25a9ea07439a10387f2" edr_machine_id : "9d9d93j38djddi97eeba16299ce7665d822d52348" conflicting_applications :  network_protection_status : "stopped" network_protection_enforcement_level : "disabled" data_loss_prevention_status : "disabled" full_disk_access_enabled : false
When we run mdatp health, it shows all the components that make MDD healthy. So, instead of just finding one component that we believe is enough, we look at the aggregate i.e. ‘health’.
Wait, there is more!
So, now you know what to look for, there is more that can be done via script.
BitSysTechnologies.com >> mdatp health --field healthy false
Grep the health status with the command listed above.
Or, you can also find out what exactly is causing the issue:
BitSysTechnologies.com >> mdatp health --field healthy && mdatp health --field health_issues false ["full disk access has not been granted"]
Now create a script with a couple of lines – test if MDD is running or not, if not, then exit the script, else find the health status with the command listed above.
When it comes to scripting, I am sure you can have a smarter approach, but for beginners, I’d suggest doing it in 3 steps:
If binary exists > then check mdatp health –field healthy > if it’s NOT healthy then mdatp health –field health_issues. For all 3 steps, if the other condition matches, then exit the script with some logs.
Visit this MS KB for more information on Troubleshooting Defender on macOS.
Tweet us @BitSysTech if you have questions. We’d love to discuss this.