I’ve recently changed to a new macOS machine and updated it to 10.15.1 prior to enrolling into Intune.
Our Intune instance automatically deploys and configures Defender ATP, however defender ATP has failed to initialize on my new machine.
Initial error displayed:
No License found
Looks like your organization does not have a license for Microsoft 365 Enterprise subscription
Contact your administrator for help
This was strange as Defender ATP is working on my other macOS device
Regardless I have validated the license in the Azure console and locally on the device by running
licensed : true
At this point I’ve decided to re-install Defender ATP (re-install instructions here https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources#uninstalling)
Re-install did not help.
The version we were publishing via Intune was rather dated (100.42.86)
So I decided to republish a newer version (100.72.15).
The 100.72.15 version has changed the error message but defender still did not work
We’re having trouble starting this app
Please hold for a moment…
Health check has now regressed with the following error message
daniil@Daniils-MBP Downloads % mdatp --health Failed to connect to daemon. Reason: Connection refused
My first assumption was an issue with Kernel Extensions, which are located in
Looking inside the wdavkext.kext has returned some interesting results
daniil@Daniils-MBP Tools % ls /Library/Extensions/wdavkext.kext/Contents/Resources/Tools check_state.sh load.sh wdavconfig.py installlib.sh uninstall wdavstate.py
There are a number of scripts inside the extension package that can be used to check on the health of the Defender status
Running check_state.sh returned the following results
daniil@Daniils-MBP Tools % /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/check_state.sh shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory KEXT wdavkext is loaded DAEMON wdavdaemon is not running PROCESS Microsoft Defender is running, pid=2665 PROCESS wdavdaemon is not running
Looks like the issue is with wdavdaemon
macOS houses instructions for LaunchDaemons in the following directory
daniil@Daniils-MBP Tools % ls /Library/LaunchDaemons com.microsoft.OneDriveUpdaterDaemon.plist com.microsoft.autoupdate.helper.plist com.microsoft.fresno.plist com.microsoft.fresno.uninstall.plist com.microsoft.office.licensingV2.helper.plist com.microsoft.teams.TeamsUpdaterDaemon.plist
The plist responsible for weavedaemon is com.microsoft.fresno.plist
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>KeepAlive</key> <true/> <key>Label</key> <string>com.microsoft.fresno</string> <key>Program</key> <string>/Applications/Microsoft Defender ATP.app/Contents/Resources/wdavdaemon.app/Contents/MacOS/wdavdaemon</string> <key>RunAtLoad</key> <true/> <key>WorkingDirectory</key> <string>/Applications/Microsoft Defender ATP.app/Contents/Resources/wdavdaemon.app/Contents/MacOS</string> </dict> </plist>
Loading and starting the daemon has not proven successful
launchctl load /Library/LaunchDaemons/com.microsoft.fresno.plist launchctl start com.microsoft.fresno
However that did create a number of events in the system.log file
Oct 31 22:49:26 Daniils-MBP com.apple.xpc.launchd (com.microsoft.fresno): Service only ran for 0 seconds. Pushing respawn out by 10 seconds. Oct 31 22:49:30 Daniils-MBP com.apple.xpc.launchd (com.microsoft.fresno): Service exited with abnormal code: 13 Oct 31 22:49:30 Daniils-MBP com.apple.xpc.launchd (com.microsoft.fresno): Service only ran for 0 seconds. Pushing respawn out by 10 seconds. Oct 31 22:49:36 Daniils-MBP com.apple.xpc.launchd (com.microsoft.fresno): Service exited with abnormal code: 5
Looking at Crash Reports in the console application I saw a large number of wdavdaemon crashes
Looking through the crash log the following line caught my attention
terminating with uncaught exception of type boost::filesystem::filesystem_error: boost::filesystem::create_directory: Permission denied: "/Library/Logs/Microsoft/mdatp/rotated"
Further investigation identified that the permissions for /Library/Logs/Microsoft have been changed. After resetting the permissions to the Microsoft folder Defender ATP has sprung back into life.