You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/tamperprotection-macos.md
+5-2Lines changed: 5 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -74,8 +74,11 @@ You can configure the tamper protection mode by providing the mode name as enfor
74
74
75
75
## Before you begin
76
76
77
+
Make sure that the following requirements are met:
78
+
77
79
- Supported macOS versions: Big Sur (11), or later
78
80
- Minimum required version for Defender for Endpoint: `101.70.19`
81
+
- You have an appropriate role assigned (see [Create and manage roles for role-based access control](user-roles.md))
79
82
80
83
> [!IMPORTANT]
81
84
> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
@@ -497,7 +500,7 @@ Configure [preferences](mac-preferences.md#exclusions), for example for JAMF:
497
500
</plist>
498
501
```
499
502
500
-
Note, that excluding a scripting interpreter (like Ruby from the example above) instead of a compiled executable isn't secure, as it can run *any script*, not just the one that a Global Administrator uses.
503
+
Note, that excluding a scripting interpreter (like Ruby from the example above) instead of a compiled executable isn't secure, as it can run *any script*, not just the one that a Security Administrator uses.
501
504
502
505
To minimize the risk, we recommend using extra `args` to allow only specific scripts to run with scripting interpreters.
503
506
In the example above, only `/usr/bin/ruby /usr/local/bin/global_mdatp_restarted.rb` is permitted to restart Defender.
-`tamper_protection` is the *effective* mode. If this mode is the mode you intended to use, then you're all set.
532
535
-`configuration_source` indicates how tamper protection enforcement level is set. It must match how you configured tamper protection. (If you set its mode through a managed profile, and `configuration_source` shows something different, then you most probably misconfigured your profile.)
533
-
-`mdm` - it's configured through a managed profile. Only a Global Administrator can change it with an update to the profile!
536
+
-`mdm` - it's configured through a managed profile. Only a Security Administrator can change it with an update to the profile!
534
537
-`local` - it's configured with `mdatp config` command
535
538
-`portal` - default enforcement level set in Security Portal
536
539
-`defaults` - not configured, the default mode is used
0 commit comments