Merge branch 'main' into docs-editor/deployment-vdi-microsoft-defen-1727402291

garycentric · web-flow · commit 80bd54f58bdb · 2024-09-27T15:11:06.000-07:00
diff --git a/defender-endpoint/network-protection-macos.md b/defender-endpoint/network-protection-macos.md
@@ -3,7 +3,7 @@ title: Use network protection to help prevent macOS connections to bad sites
 description: Protect your network by preventing macOS users from accessing known malicious and suspicious network addresses
 ms.service: defender-endpoint
 ms.localizationpriority: medium
-ms.date: 08/22/2024
+ms.date: 09/27/2024
 audience: ITPro
 author: denisebmsft
 ms.author: deniseb
@@ -42,13 +42,13 @@ search.appverid: met150
 
 ## Overview
 
-Microsoft Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that might host:
+Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents people from using any application to access dangerous domains that might host:
 
 - phishing scams
 - exploits
 - other malicious content on the Internet
 
-Network protection expands the scope of Microsoft Defender XDR [SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources. The blocks on outbound HTTP(s) traffic are based on the domain or hostname.
+Network protection expands the scope of Microsoft Defender XDR [SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) to block all outbound HTTP/HTTPS traffic that attempts to connect to low-reputation sources. The blocks on outbound HTTP/HTTPS traffic are based on the domain or hostname.
 
 ## Availability
 
@@ -83,7 +83,7 @@ To roll out Network Protection for macOS, we recommend the following actions:
 
 ### Important notes
 
-- We don't recommend controlling network protection from System Preferences by using the Disconnect button. Instead, use the mdatp command-line tool or JAMF / Intune to control network protection for macOS.
+- We don't recommend controlling network protection from System Preferences by using the **Disconnect** button. Instead, use the mdatp command-line tool or JamF/Intune to control network protection for macOS.
 - To evaluate effectiveness of macOS web threat protection, we recommend trying it in browsers other than Microsoft Edge for macOS (for example, Safari). Microsoft Edge for macOS has built-in web threat protection (Microsoft Defender Browser Protection extension which provides Smartscreen capabilities) that is enabled regardless of whether the Mac network protection feature you're evaluating, is turned on or not.
 
 ## Deployment instructions
@@ -136,26 +136,32 @@ After you create this configuration profile, assign it to the devices where you
 
 ##### Configure the enforcement level
 
-Note: If you've already configured Microsoft Defender XDR for Endpoint on Mac using the instructions listed here, then update the plist file you previously deployed with the content listed below and redeploy it from JAMF.
-
-1. In **Computers** \> **Configuration Profiles**, select **Options** \> **Applications & Custom Settings**
-2. Select **Upload File** (PLIST file)
-3. Set preference domain to _com.microsoft.wdav_
-4. Upload the following plist file
-
-```xml
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-    <key>networkProtection</key>
-    <dict>
-        <key>enforcementLevel</key>
-        <string>block</string>
-    </dict>
-</dict>
-</plist>
-```
+> [!NOTE]
+> If you've already configured Microsoft Defender XDR for Endpoint on Mac using the instructions listed here, then update the plist file you previously deployed with the content listed in this section, and then redeploy it from JAMF.
+
+1. In **Computers** > **Configuration Profiles**, select **Options** > **Applications & Custom Settings**.
+
+2. Select **Upload File** (PLIST file).
+
+3. Set preference domain to `com.microsoft.wdav`.
+
+4. Upload the following plist file.
+
+   ```xml
+   
+   <?xml version="1.0" encoding="UTF-8"?>
+   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+   <plist version="1.0">
+   <dict>
+       <key>networkProtection</key>
+       <dict>
+           <key>enforcementLevel</key>
+           <string>block</string>
+       </dict>
+   </dict>
+   </plist>
+   
+   ```
 
 #### Intune deployment
 
@@ -165,24 +171,32 @@ After you create this configuration profile, assign it to the devices where you
 ##### Configure the enforcement level using Intune
 
 > [!NOTE]
-> If you've already configured Microsoft Defender for Endpoint on Mac using the previous instructions (with an XML file), then remove the previous Custom configuration policy and replace it with the instructions below.
+> If you've already configured Microsoft Defender for Endpoint on Mac using the previous instructions (with an XML file), then remove the previous Custom configuration policy and replace it with the following instructions:
+
+1. Open **Manage** > **Device configuration**. Select **Manage** \> **Profiles** \> **Create Profile**.
 
-1. Open **Manage** \> **Device configuration**. Select **Manage** \> **Profiles** \> **Create Profile**.
 2. Change **Platform** to **macOS** and **Profile type** to **Settings catalog**. Select **Create**.
+
 3. Specify a name for the profile. 
-4. On the **Configuration settings** screen, select **Add settings**. Select **Microsoft Defender** \> **Network protection**, and tick the **Enforcement level** checkbox.
-5. Set the enforcement level to **block**. Select **Next**
-6. Open the configuration profile and upload the com.microsoft.wdav.xml file. (This file was created in step 3.)
+
+4. On the **Configuration settings** screen, select **Add settings**. Select **Microsoft Defender** > **Network protection**, and tick the **Enforcement level** checkbox.
+
+5. Set the enforcement level to **block**. Select **Next**.
+
+6. Open the configuration profile and upload the `com.microsoft.wdav.xml` file. (This file was created in step 3.)
+
 7. Select **OK**
+
 8. Select **Manage** \> **Assignments**. In the **Include** tab, select the devices for which you want to enable network protection.
 
 #### Mobileconfig deployment
 
-To deploy the configuration via a .mobileconfig file, which can be used with non-Microsoft MDM solutions or distributed to devices directly:
+To deploy the configuration via a `.mobileconfig` file, which can be used with non-Microsoft MDM solutions or distributed to devices directly, follow these steps:
 
-1. Save the following payload as _com.microsoft.wdav.xml.mobileconfig_
+1. Save the following payload as `com.microsoft.wdav.xml.mobileconfig`.
    
    ```xml
+
    <?xml version="1.0" encoding="utf-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1">
@@ -235,28 +249,34 @@ To deploy the configuration via a .mobileconfig file, which can be used with non
            </array>
        </dict>
    </plist>
+   
    ```
 
-2. Verify that the above file was copied correctly. From the Terminal, run the following command and verify that it outputs OK:
+2. Verify that the file from the previous step was copied correctly. Using Terminal, run the following command and verify that it outputs OK:
 
    ```bash
+
    plutil -lint com.microsoft.wdav.xml
+   
    ```
 
-
 ## How to explore the features
 
 1. Learn how to [Protect your organization against web threats](web-threat-protection.md) using web threat protection.
    - Web threat protection is part of web protection in Microsoft Defender for Endpoint. It uses network protection to secure your devices against web threats.
+
 2. Run through the [Custom Indicators of Compromise](indicator-ip-domain.md) flow to get blocks on the Custom Indicator type.
+
 3. Explore [Web content filtering](web-content-filtering.md).
+
    > [!NOTE]
    > If you are removing a policy or changing device groups at the same time, this might cause a delay in policy deployment.
    > Pro tip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy.
    >
    > Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.
 
 4. [Integrate Microsoft Defender for Endpoint with Defender for Cloud Apps](/defender-cloud-apps/mde-integration) and your network protection-enabled macOS devices have endpoint policy enforcement capabilities.
+
    > [!NOTE]
    > Discovery and other features are currently not supported on these platforms.
 
@@ -312,24 +332,22 @@ Within 10-15 minutes, these domains are listed in Microsoft Defender XDR under I
 
 :::image type="content" source="media/network-protection-macos-indicators-urls-domains-warn.png" alt-text="Shows network protection indicators for urls or domains warning.":::
 
-When the end user is attempting to access monitored domains, they're warned by Defender for Endpoint.
-
-- The user gets a plain block experience accompanied by the following toast message, which is displayed by the operating system including the name of the blocked application (e.g Blogger.com)
+When the end user is attempting to access monitored domains, they're warned by Defender for Endpoint. The user gets a plain block experience accompanied by the following toast message, which is displayed by the operating system including the name of the blocked application (e.g Blogger.com)
 
   :::image type="content" source="media/network-protection-macos-content-blocked.png" alt-text="Shows end-user network protection content blocked toast notification.":::
 
-If the end user encounters a _block_, the user has two possible resolutions:
+If the end user encounters a _block_, the user has two possible resolutions: bypass and education.
 
 #### User bypass
 
-- **For toast message experience**: Press the Unblock button. By reloading the webpage, the user is able to proceed and use the cloud app. (This action is applicable for the next 24 hours, after which the user has to unblock once again)
+- **For toast message experience**: Press the **Unblock** button. By reloading the webpage, the user is able to proceed and use the cloud app. (This action is applicable for the next 24 hours, after which the user has to unblock once again.)
 
 #### User education
 
 - **For toast message experience**: Press the toast message itself. End user is redirected to a custom redirect URL set globally in Microsoft Defender for Cloud Apps (More information at the bottom of this page)
 
 > [!NOTE]
-> Tracking bypasses per app** – You can track how many users have bypassed the warning in the _Application_ page in Microsoft Defender for Cloud Apps.
+> Tracking bypasses per app: You can track how many users have bypassed the warning in the **Application** page in Microsoft Defender for Cloud Apps.
 
   :::image type="content" source="media/network-protection-macos-mcas-cloud-app-security.png" alt-text="Shows network protection cloud app security overview.":::
 
@@ -355,10 +373,15 @@ For this page, we recommend that your organization uses a basic SharePoint site.
 ### Important things to know
 
 1. It can take up to two hours (typically less) for app domains to propagate and to be update in the endpoint devices, after it's marked as _Monitored_.
+
 2. By default, action is taken for all apps and domains that were marked as Monitored in Microsoft Defender for Cloud Apps portal for all the onboarded endpoints in the organization.
-3. Full URLs are currently not supported and won't be sent from Microsoft Defender for Cloud Apps to Microsoft Defender XDR for Endpoint, if any full URLs are listed under Microsoft Defender for Cloud Apps monitored apps, hence, user won't get warned on access attempt (for example, google.com/drive isn't supported, while drive.google.com is supported).
 
-No End-user notification on third party browsers? Check your toast message settings.
+3. Full URLs are currently not supported and aren't sent from Microsoft Defender for Cloud Apps to Microsoft Defender for Endpoint. If any full URLs are listed under Microsoft Defender for Cloud Apps as monitored apps, users aren't warned when they attempt to access a site. (For example, `google.com/drive` isn't supported, while `drive.google.com` is supported.)
+
+4. Network protection doesn't support the use of QUIC on browsers. Administrators need to ensure that QUIC is disabled when testing to ensure sites are blocked correctly. 
+
+> [!TIP]
+> No end-user notifications are appearing on third party browsers? Check your toast message settings.
 
 ## See also
 
diff --git a/defender-office-365/TOC.yml b/defender-office-365/TOC.yml
@@ -240,6 +240,8 @@
              href: tenant-allow-block-list-files-configure.md
            - name: Allow or block URLs using the Tenant Allow/Block List
              href: tenant-allow-block-list-urls-configure.md
+           - name: Allow or block IP addresses using the Tenant Allow/Block List
+             href: tenant-allow-block-list-ip-addresses-configure.md
          - name: Admin submissions
            href: submissions-admin.md
          - name: Create block sender lists
diff --git a/defender-office-365/tenant-allow-block-list-about.md b/defender-office-365/tenant-allow-block-list-about.md
@@ -8,7 +8,7 @@ manager: deniseb
 audience: ITPro
 ms.topic: how-to
 ms.localizationpriority: medium
-ms.date: 09/19/2024
+ms.date: 09/20/2024
 search.appverid:
 - MET150
 ms.collection:
@@ -32,7 +32,7 @@ appliesto:
 
 In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, you might disagree with the EOP or Microsoft Defender for Office 365 filtering verdict. For example, a good message might be marked as bad (a false positive), or a bad message might be allowed through (a false negative).
 
-The Tenant Allow/Block List in the Microsoft Defender portal gives you a way to manually override the Defender for Office 365 or EOP filtering verdicts. The list is used during mail flow for incoming messages from external senders.
+The Tenant Allow/Block List in the Microsoft Defender portal gives you a way to manually override the Defender for Office 365 or EOP filtering verdicts. The list is used during mail flow or time of click for incoming messages from external senders.
 
 Entries for **Domains and email addresses** and **Spoofed senders** apply to internal messages sent within the organization. Block entries for **Domains and email addresses** also prevent users in the organization from *sending* email to those blocked domains and addresses.
 
@@ -43,6 +43,7 @@ For usage and configuration instructions, see the following articles:
 - **Domains and email addresses** and **spoofed senders**: [Allow or block emails using the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md)
 - **Files**: [Allow or block files using the Tenant Allow/Block List](tenant-allow-block-list-files-configure.md)
 - **URLs**: [Allow or block URLs using the Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md).
+- **IP addresses**: [Allow or block IP addresses using the Tenant Allow/Block List](tenant-allow-block-list-ip-addresses-configure.md).
 
 These articles contain procedures in the Microsoft Defender portal and in PowerShell.
 
@@ -70,7 +71,11 @@ In the Tenant Allow/Block List, you can also directly create block entries for t
 
 - **[Spoofed senders](tenant-allow-block-list-email-spoof-configure.md#create-block-entries-for-spoofed-senders)**: If you manually override an existing allow verdict from [spoof intelligence](anti-spoofing-spoof-intelligence.md), the blocked spoofed sender becomes a manual block entry that appears only on the **Spoofed senders** tab in the Tenant Allow/Block List.
 
-By default, block entries for [domains and email addresses](tenant-allow-block-list-email-spoof-configure.md#create-block-entries-for-domains-and-email-addresses), [files](tenant-allow-block-list-files-configure.md#create-block-entries-for-files) and [URLs](tenant-allow-block-list-urls-configure.md#create-block-entries-for-urls) expire after 30 days, but you can set them to expire up 90 days or to never expire. Block entries for [spoofed senders](tenant-allow-block-list-email-spoof-configure.md#create-block-entries-for-spoofed-senders) never expire.
+- **[IP addresses](tenant-allow-block-list-ip-addresses-configure.md#create-block-entries-for-ip-addresses)**: If you manually create a block entry, all incoming email messages from that IP address are dropped at the edge of the service.
+
+By default, block entries for [domains and email addresses](tenant-allow-block-list-email-spoof-configure.md#create-block-entries-for-domains-and-email-addresses), [files](tenant-allow-block-list-files-configure.md#create-block-entries-for-files) and [URLs](tenant-allow-block-list-urls-configure.md#create-block-entries-for-urls) expire after 30 days, but you can set them to expire up 90 days or to never expire.
+
+Block entries for [spoofed senders](tenant-allow-block-list-email-spoof-configure.md#create-block-entries-for-spoofed-senders) and [IP addresses](tenant-allow-block-list-ip-addresses-configure.md#create-block-entries-for-ip-addresses) never expire.
 
 ## Allow entries in the Tenant Allow/Block List
 
@@ -82,6 +87,8 @@ In most cases, you can't directly create allow entries in the Tenant Allow/Block
   - If spoof intelligence already blocked the message as spoofing, use the **Submissions** page at <https://security.microsoft.com/reportsubmission> to [report the email to Microsoft](submissions-admin.md#report-good-email-to-microsoft) as **I've confirmed it's clean**, and then select **Allow this message**.
   - You can proactively create [an allow entry for a spoofed sender](tenant-allow-block-list-email-spoof-configure.md#create-allow-entries-for-spoofed-senders) on the **Spoofed sender** tab in the Tenant Allow/Block List before [spoof intelligence](anti-spoofing-spoof-intelligence.md) identifies and blocks the message as spoofing.
 
+- **IP Addresses**: You can proactively create an [an allow entry for an IP address](tenant-allow-block-list-ip-addresses-configure.md#create-block-entries-for-ip-addresses) on the **IP addresses** tab in the Tenant Allow/Block List to override the IP filters for incoming messages.
+
 The following list describes what happens in the Tenant Allow/Block List when you submit something to Microsoft as a false positive on the **Submissions** page:
 
 - **Email attachments** and **URLs**: An allow entry is created and the entry appears on the **Files** or **URLs** tab in the Tenant Allow/Block List respectively.
diff --git a/defender-office-365/tenant-allow-block-list-email-spoof-configure.md b/defender-office-365/tenant-allow-block-list-email-spoof-configure.md
@@ -543,3 +543,4 @@ For submission instructions for impersonation false positives, see [Report good
 - [Manage allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md)
 - [Allow or block files in the Tenant Allow/Block List](tenant-allow-block-list-files-configure.md)
 - [Allow or block URLs in the Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md)
+- [Allow or block IP addresses in the Tenant Allow/Block List](tenant-allow-block-list-ip-addresses-configure.md)
diff --git a/defender-office-365/tenant-allow-block-list-files-configure.md b/defender-office-365/tenant-allow-block-list-files-configure.md
@@ -283,3 +283,4 @@ For detailed syntax and parameter information, see [Remove-TenantAllowBlockListI
 - [Manage allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md)
 - [Allow or block emails in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md)
 - [Allow or block URLs in the Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md)
+- [Allow or block IP addresses in the Tenant Allow/Block List](tenant-allow-block-list-ip-addresses-configure.md)
diff --git a/defender-office-365/tenant-allow-block-list-ip-addresses-configure.md b/defender-office-365/tenant-allow-block-list-ip-addresses-configure.md
diff --git a/defender-office-365/tenant-allow-block-list-urls-configure.md b/defender-office-365/tenant-allow-block-list-urls-configure.md
