diff --git a/macOS/Apps/Illumio VEN/readme.md b/macOS/Apps/Illumio VEN/readme.md index 0772ce63..099628e0 100644 --- a/macOS/Apps/Illumio VEN/readme.md +++ b/macOS/Apps/Illumio VEN/readme.md @@ -1,34 +1,36 @@ -# Illumio VEN Installation & Illumio VEN Registration Installer +# Illumio VEN +Here is a collection of scripts for Illumio VEN. +## Installation and Registration Installer This script is an example to show how to use [Intune Shell Scripting](https://docs.microsoft.com/en-us/mem/intune/apps/macos-shell-scripts) to install applications. In this case the script will download the Illumio VEN pkg file from your download server e.g. Azure Blob Storage Container and then install application onto the Mac. Also, in order to apply Illumio VEN Registration to devices that already have Illumio VEN installed, we are also providing separate script for that. -## Things you'll need to do (installIllumioVEN.sh) +### Things you'll need to do (installIllumioVEN.sh) - From line 36, change correct server address URL where PKG-installer will be downloaded e.g. your Azure Blob Storage Container. - From line 43, if you want to install Illumio VEN to devices that are not superviced e.g. BYOD-devices, change value to "false" without quotes. -## Things you'll need to do (illumioVENRegistrationInstaller.sh) +### Things you'll need to do (illumioVENRegistrationInstaller.sh) - From line 34, if you want to install Illumio VEN to devices that are not superviced e.g. BYOD-devices, change value to "false" without quotes. - From line 35, set Illumio VEN activation code from your pairing script - From line 36, set Illumio VEN management server address from your pairing script without https:// -prefix. - From line 37, set Illumio VEN profile id from your pairing script. -## Script Settings (installIllumioVEN.sh) +### Script Settings (installIllumioVEN.sh) - Run script as signed-in user : No - Hide script notifications on devices : Yes - Script frequency : Not configured - Number of times to retry if script fails : 3 -## Script Settings (illumioVENRegistrationInstaller.sh) +### Script Settings (illumioVENRegistrationInstaller.sh) - Run script as signed-in user : No - Hide script notifications on devices : Yes - Script frequency : Every 15 minutes - Number of times to retry if script fails : 3 -## Log File (installIllumioVEN.sh) +### Log File (installIllumioVEN.sh) The log file will output to ***/Library/Logs/Microsoft/IntuneScripts/IllumioVEN.log*** by default. Exit status is either 0 or 1. To gather this log with Intune remotely take a look at [Troubleshoot macOS shell script policies using log collection](https://docs.microsoft.com/en-us/mem/intune/apps/macos-shell-scripts#troubleshoot-macos-shell-script-policies-using-log-collection) @@ -65,7 +67,7 @@ Fri Nov 17 21:25:41 EET 2023 | Cleaning Up Fri Nov 17 21:25:41 EET 2023 | Application [IllumioVEN] succesfully installed Fri Nov 17 21:25:41 EET 2023 | Writing last modifieddate [Tue, 17 Oct 2023 11:31:35 GMT] to [/Library/Logs/Microsoft/IntuneScripts/IllumioVEN/IllumioVEN.meta] ``` -## Log File (illumioVENRegistrationInstaller.sh) +### Log File (illumioVENRegistrationInstaller.sh) The log file will output to ***/Library/Logs/Microsoft/IntuneScripts/IllumioVENRegistrationInstaller.log*** by default. Exit status is either 0 or 1. To gather this log with Intune remotely take a look at [Troubleshoot macOS shell script policies using log collection](https://docs.microsoft.com/en-us/mem/intune/apps/macos-shell-scripts#troubleshoot-macos-shell-script-policies-using-log-collection) @@ -102,4 +104,52 @@ VEN has been SUCCESSFULLY paired with Illumio Fri Nov 17 20:58:13 EET 2023 | Illumio VEN Registration applied. Creating Registration detection file... Fri Nov 17 20:58:13 EET 2023 | Done. Closing script... +``` + +## Uninstallation +Script `uninstallIllumioVEN.zsh` will uninstall illumio VEN from Intune-managed Mac-device. + +### Script Settings (uninstallIllumioVEN.zsh) + +- Run script as signed-in user : No +- Hide script notifications on devices : Yes +- Script frequency : Every 1 day +- Number of times to retry if script fails : 3 + +### Log File (uninstallIllumioVEN.zsh) + +The log file will output to ***/Library/Logs/Microsoft/IntuneScripts/IllumioVENUninstaller/IllumioVENUninstaller.log*** by default. Exit status is either 0 or 1. The script logs the `illumio-ven-ctl unpair saved` call and verifies removal of `/opt/illumio_ven`. To gather this log with Intune remotely take a look at [Troubleshoot macOS shell script policies using log collection](https://docs.microsoft.com/en-us/mem/intune/apps/macos-shell-scripts#troubleshoot-macos-shell-script-policies-using-log-collection) + +``` +############################################################## +# Sat Oct 18 11:23:33 EEST 2025 | Starting running of script IllumioVENUninstaller +############################################################ + +Sat Oct 18 11:23:33 EEST 2025 | Illumio VEN directory detected at /opt/illumio_ven. Let's proceed... +Sat Oct 18 11:23:33 EEST 2025 | Running Illumio VEN unpair command... +touch: /opt/illumio_ven_data/reports/in_progress: No such file or directory +cp: /etc/pf.anchors/com.illumio: No such file or directory +grep: /opt/illumio_ven_data/etc/agent_id.cfg: No such file or directory +No ALTQ support in kernel +ALTQ related functions disabled +find: /opt/illumio_ven_data/etc/agentmon/: No such file or directory +rm: /private/var/ilo-ven: Operation not permitted +Forgot package 'com.illumio.illumio-ven-service' on '/'. + +Illumio VEN is being uninstalled... + + + +2025-10-18T11:23:36+0300 Generating Support Report at /tmp/illumio-ven-report.tgz ........ +2025-10-18T11:23:49+0300 Uninstalling Illumio ............ +2025-10-18T11:23:51+0300 Stopped all daemons +2025-10-18T11:23:51+0300 /opt/illumio_ven/system/etc/init.d/illumio-firewall disable +2025-10-18T11:23:51+0300 Firewall Rules failed restore +2025-10-18T11:24:05+0300 Illumio package cleaned up com.illumio.illumio-ven-service version 23.2.22.295 +2025-10-18T11:24:05+0300 Uninstall complete + +VEN has been SUCCESSFULLY unpaired with Illumio + +Sat Oct 18 11:24:05 EEST 2025 | Illumio VEN unpair command returned success. Verifying removal... +Sat Oct 18 11:24:05 EEST 2025 | Illumio VEN components not detected. Uninstallation verified. Closing script... ``` \ No newline at end of file diff --git a/macOS/Apps/Illumio VEN/uninstallIllumioVEN.zsh b/macOS/Apps/Illumio VEN/uninstallIllumioVEN.zsh new file mode 100644 index 00000000..82dd2bfa --- /dev/null +++ b/macOS/Apps/Illumio VEN/uninstallIllumioVEN.zsh @@ -0,0 +1,85 @@ +#!/bin/zsh +#set -x +############################################################################################ +## +## Script to uninstall Illumio VEN from macOS +## +############################################################################################ + +## Copyright (c) 2025 Microsoft Corp. All rights reserved. +## Scripts are not supported under any Microsoft standard support program or service. The scripts are provided AS IS without warranty of any kind. +## Microsoft disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a +## particular purpose. The entire risk arising out of the use or performance of the scripts and documentation remains with you. In no event shall +## Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever +## (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary +## loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility +## of such damages. +## Feedback: neiljohn@microsoft.com + +# Define variables +appname="IllumioVENUninstaller" # The name of our uninstall script +logandmetadir="/Library/Logs/Microsoft/IntuneScripts/$appname" # The location of our logs and last updated data +log="$logandmetadir/$appname.log" # The location of the script log file +illumiodir="/opt/illumio_ven" # Illumio VEN installation directory +ctlpath="$illumiodir/illumio-ven-ctl" # Illumio VEN control binary + +# Check if the log directory has been created +if [ -d "$logandmetadir" ]; then + # Already created + echo "$(date) | Log directory already exists - $logandmetadir" +else + # Creating Metadirectory + echo "$(date) | Creating log directory - $logandmetadir" + mkdir -p "$logandmetadir" +fi + +# Check if Illumio VEN is installed +CheckIfIllumioVENIsInstalled() { +if [ -d "$illumiodir" ]; then + echo "$(date) | Illumio VEN directory detected at $illumiodir. Let's proceed..." +else + echo "$(date) | Illumio VEN directory not found. Nothing to uninstall. Closing the script..." + exit 0 +fi +} + +# Run Illumio VEN unpair command +RunIllumioVENUnpair() { +if [ -x "$ctlpath" ]; then + echo "$(date) | Running Illumio VEN unpair command..." + if "$ctlpath" unpair saved; then + echo "$(date) | Illumio VEN unpair command returned success. Verifying removal..." + else + echo "$(date) | ERROR: Illumio VEN unpair command failed. Closing script..." + exit 1 + fi +else + echo "$(date) | ERROR: Illumio VEN control binary not found or not executable at $ctlpath. Closing script..." + exit 1 +fi +} + +VerifyIllumioVENRemoval() { +if [ -d "$illumiodir" ] || [ -x "$ctlpath" ]; then + echo "$(date) | ERROR: Illumio VEN components still detected at $illumiodir. Closing script..." + exit 1 +else + echo "$(date) | Illumio VEN components not detected. Uninstallation verified. Closing script..." + exit 0 +fi +} + +# Start logging +exec &> >(tee -a "$log") + +# Begin Script Body +echo "" +echo "##############################################################" +echo "# $(date) | Starting running of script $appname" +echo "############################################################" +echo "" + +# Run functions +CheckIfIllumioVENIsInstalled +RunIllumioVENUnpair +VerifyIllumioVENRemoval \ No newline at end of file diff --git a/macOS/Config/Firewall/Block Selected Port Numbers from macOS Firewall/Diagram.drawio b/macOS/Config/Firewall/Block Selected Port Numbers from macOS Firewall/Diagram.drawio index 9e15285b..af220899 100644 --- a/macOS/Config/Firewall/Block Selected Port Numbers from macOS Firewall/Diagram.drawio +++ b/macOS/Config/Firewall/Block Selected Port Numbers from macOS Firewall/Diagram.drawio @@ -1,14 +1,16 @@ - + - - + + + + - + @@ -57,7 +59,7 @@ - + @@ -81,7 +83,7 @@ - + @@ -111,7 +113,7 @@ - + @@ -135,7 +137,7 @@ - + @@ -160,7 +162,7 @@ - + @@ -179,7 +181,7 @@ - + @@ -209,7 +211,7 @@ - + @@ -228,7 +230,7 @@ - + @@ -261,7 +263,7 @@ - + @@ -286,7 +288,7 @@ - + @@ -303,7 +305,7 @@ - + @@ -314,7 +316,7 @@ - + @@ -344,7 +346,7 @@ - + @@ -368,7 +370,7 @@ - + @@ -393,7 +395,7 @@ - + @@ -417,7 +419,7 @@ - + @@ -448,7 +450,7 @@ - + @@ -473,9 +475,17 @@ - + + + + + + + + + @@ -502,7 +512,7 @@ - + @@ -521,7 +531,7 @@ - + @@ -538,15 +548,20 @@ - - + + + + + + + - - - + + + - + @@ -557,25 +572,258 @@ - + - - - + + + - + - + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/macOS/Config/Firewall/Block Selected Port Numbers from macOS Firewall/Diagram.png b/macOS/Config/Firewall/Block Selected Port Numbers from macOS Firewall/Diagram.png index 2b180f01..7332a140 100644 Binary files a/macOS/Config/Firewall/Block Selected Port Numbers from macOS Firewall/Diagram.png and b/macOS/Config/Firewall/Block Selected Port Numbers from macOS Firewall/Diagram.png differ diff --git a/macOS/Config/Firewall/Block Selected Port Numbers from macOS Firewall/FirewallBlockPortNumbers.zsh b/macOS/Config/Firewall/Block Selected Port Numbers from macOS Firewall/FirewallBlockPortNumbers.zsh index 716d80fb..6918f5f7 100644 --- a/macOS/Config/Firewall/Block Selected Port Numbers from macOS Firewall/FirewallBlockPortNumbers.zsh +++ b/macOS/Config/Firewall/Block Selected Port Numbers from macOS Firewall/FirewallBlockPortNumbers.zsh @@ -20,18 +20,23 @@ appname="FirewallBlockPortNumbers" # The name of our script logandmetadir="/Library/Logs/Microsoft/IntuneScripts/$appname" # The location of our logs and last updated data log="$logandmetadir/$appname.log" # The location of the script log file -port135_tcp=true # Blocks Port Number 135 TCP used by Microsoft RPC, which can be exploited for remote code execution. -port135_udp=true # Blocks Port Number 135 UDP used by Microsoft RPC, which can be exploited for remote code execution. -port137_139_tcp=true # Blocks Port Numbers 137-139 TCP used by NetBIOS, which can be a vector for various attacks. -port137_139_udp=true # Blocks Port Numbers 137-139 UDP used by NetBIOS, which can be a vector for various attacks. -port445_tcp=true # Blocks Port Number 445 TCP used by Microsoft-DS (Active Directory, Windows shares), which is often targeted by malware. -port1433_1434_tcp=true # Blocks Port Numbers 1433-1434 TCP used by Microsoft SQL Server, which can be exploited if not properly secured. -port1433_1434_udp=true # Blocks Port Numbers 1433-1434 UDP used by Microsoft SQL Server, which can be exploited if not properly secured. -port3389_tcp=true # Blocks Port Number 3389 TCP used by Remote Desktop Protocol (RDP), which is common target for brute force attacks. -port1900_udp=true # Blocks Port Number 1900 UDP used by Universal Plud and Play (UPnP), which can be exploited for network discovery and attacks. -port20_21_tcp=true # Blocks Port Numbers 20-21 TCP used by FTP, which can be insecure if not properly configured. -port20_21_udp=true # Blocks Port Numbers 20-21 UDP used by FTP, which can be insecure if not properly configured. -port23_tcp=true # Blocks Port Numbers 23 TCP used by Telnet, which transmits data in plaintext and is insecure. +ownership=byod # Set device ownership where do you want to run this script (byod/corporate/all). Corporate devices must be managed by Apple Business Manager. +port135_in_tcp=true # Blocks inbound TCP Port Number 135 used by Microsoft RPC, which can be exploited for remote code execution. +port135_in_udp=true # Blocks inbound UDP Port Number 135 used by Microsoft RPC, which can be exploited for remote code execution. +port137_139_in_tcp=true # Blocks inbound TCP Port Numbers 137-139 used by NetBIOS, which can be a vector for various attacks. +port137_139_in_udp=true # Blocks inbound UDP Port Numbers 137-139 used by NetBIOS, which can be a vector for various attacks. +port445_in_tcp=true # Blocks inbound TCP Port Number 445 used by Microsoft-DS (Active Directory, Windows shares), which is often targeted by malware. +port1433_1434_in_tcp=true # Blocks inbound TCP Port Numbers 1433-1434 used by Microsoft SQL Server, which can be exploited if not properly secured. +port1433_1434_in_udp=true # Blocks inbound TCP Port Numbers 1433-1434 used by Microsoft SQL Server, which can be exploited if not properly secured. +port3389_in_tcp=true # Blocks inbound TCP Port Number 3389 used by Remote Desktop Protocol (RDP), which is common target for brute force attacks. +port1900_in_udp=true # Blocks inbound UDP Port Number 1900 used by Universal Plud and Play (UPnP), which can be exploited for network discovery and attacks. +port20_21_in_tcp=true # Blocks inbound TCP Port Numbers 20-21 used by FTP, which can be insecure if not properly configured. +port20_21_in_udp=true # Blocks inbound UDP Port Numbers 20-21 used by FTP, which can be insecure if not properly configured. +port23_in_tcp=true # Blocks inbound TCP Port Numbers 23 used by Telnet, which transmits data in plaintext and is insecure. +port110_out_tcp=true # Blocks outbound TCP Port Number 110 used by POP3 to prevent retrieval of email via POP3 clients. +port995_out_tcp=true # Blocks outbound TCP Port Number 995 used by secure POP3 to prevent retrieval of email via POP3 clients. +port143_out_tcp=true # Blocks outbound TCP Port Number 143 used by IMAP to prevent retrieval of email via IMAP clients. +port993_out_tcp=true # Blocks outbound TCP Port Number 993 used by secure IMAP to prevent retrieval of email via IMAP clients. # Check if the log directory has been created if [ -d $logandmetadir ]; then @@ -43,6 +48,49 @@ else mkdir -p $logandmetadir fi +# Check device ownership +check_device_ownership() { + + echo "$(date) | Checking device management status..." + + # Extract the final word ("Yes" or "No") for DEP/ABM enrollment + dep_status=$(profiles status -type enrollment | grep "Enrolled via DEP" | awk '{print $NF}') + + if [[ "$dep_status" == "Yes" ]]; then + device_type="Corporate" + else + device_type="BYOD" + fi + + echo "$(date) | Detected device type: $device_type" + + # Force lowercase before matching + ownership=$(echo "$ownership" | tr '[:upper:]' '[:lower:]') + + # Matching + case "$ownership" in + byod) + if [[ "$device_type" != "BYOD" ]]; then + echo "$(date) | This script is intended for BYOD devices only. Exiting..." + exit 0 + fi + ;; + corporate) + if [[ "$device_type" != "Corporate" ]]; then + echo "$(date) | This script is intended for Corporate devices only, that are managed by Apple Business Manager. Exiting..." + exit 0 + fi + ;; + all) + echo "$(date) | Ownership set to all. Continuing..." + ;; + *) + echo "$(date) | Unknown ownership value ($ownership). Exiting..." + exit 1 + ;; + esac +} + # Backup original pf.conf to cp.conf.backup backup() { if [ -f /etc/pf.conf.backup ]; then @@ -54,8 +102,8 @@ backup() { fi } -# Function for blocking Port Number 135 TCP -port135_tcp() { +# Function for blocking inbound Port Number 135 TCP +port135_in_tcp() { PORT=135 PROTO="tcp" RULE="block in proto $PROTO from any to any port $PORT" @@ -63,9 +111,9 @@ port135_tcp() { # Check if the rule already exists in /etc/pf.conf if grep -q "$RULE" $PF_CONF; then - echo "$(date) | Port $PORT/$PROTO is already disabled." + echo "$(date) | Inbound port $PORT/$PROTO is already disabled." else - echo "$(date) | Disabling port $PORT/$PROTO permanently..." + echo "$(date) | Disabling inbound port $PORT/$PROTO permanently..." # Append the rule to /etc/pf.conf echo "$RULE" | tee -a $PF_CONF > /dev/null @@ -74,12 +122,12 @@ port135_tcp() { pfctl -f $PF_CONF >/dev/null 2>&1 pfctl -E >/dev/null 2>&1 - echo "$(date) | Port $PORT/$PROTO has been disabled permanently." + echo "$(date) | Inbound port $PORT/$PROTO has been disabled permanently." fi } -# Function for blocking Port Number 135 UDP -port135_udp() { +# Function for blocking inbound Port Number 135 UDP +port135_in_udp() { PORT=135 PROTO="udp" RULE="block in proto $PROTO from any to any port $PORT" @@ -87,9 +135,9 @@ port135_udp() { # Check if the rule already exists in /etc/pf.conf if grep -q "$RULE" $PF_CONF; then - echo "$(date) | Port $PORT/$PROTO is already disabled." + echo "$(date) | Inbound port $PORT/$PROTO is already disabled." else - echo "$(date) | Disabling port $PORT/$PROTO permanently..." + echo "$(date) | Disabling inbound port $PORT/$PROTO permanently..." # Append the rule to /etc/pf.conf echo "$RULE" | tee -a $PF_CONF > /dev/null @@ -98,12 +146,12 @@ port135_udp() { pfctl -f $PF_CONF >/dev/null 2>&1 pfctl -E >/dev/null 2>&1 - echo "$(date) | Port $PORT/$PROTO has been disabled permanently." + echo "$(date) | Inbound port $PORT/$PROTO has been disabled permanently." fi } -# Function for blocking Port Numbers 137-139 TCP -port137_139_tcp() { +# Function for blocking inbound Port Numbers 137-139 TCP +port137_139_in_tcp() { PORTS=(137 138 139) PROTO="tcp" PF_CONF="/etc/pf.conf" @@ -112,9 +160,9 @@ port137_139_tcp() { for PORT in "${PORTS[@]}"; do RULE="block in proto $PROTO from any to any port $PORT" if grep -q "$RULE" $PF_CONF; then - echo "$(date) | Port $PORT/$PROTO is already disabled." + echo "$(date) | Inbound port $PORT/$PROTO is already disabled." else - echo "$(date) | Disabling port $PORT/$PROTO permanently..." + echo "$(date) | Disabling inbound port $PORT/$PROTO permanently..." # Append the rule to /etc/pf.conf echo "$RULE" | sudo tee -a $PF_CONF > /dev/null @@ -123,13 +171,13 @@ port137_139_tcp() { pfctl -f $PF_CONF >/dev/null 2>&1 pfctl -E >/dev/null 2>&1 - echo "$(date) | Port ${PORT[*]}/$PROTO have been disabled permanently." + echo "$(date) | Inbound port ${PORT[*]}/$PROTO have been disabled permanently." fi done } -# Function for blocking Port Numbers 137-139 UDP -port137_139_udp() { +# Function for blocking inbound Port Numbers 137-139 UDP +port137_139_in_udp() { PORTS=(137 138 139) PROTO="udp" PF_CONF="/etc/pf.conf" @@ -138,9 +186,9 @@ port137_139_udp() { for PORT in "${PORTS[@]}"; do RULE="block in proto $PROTO from any to any port $PORT" if grep -q "$RULE" $PF_CONF; then - echo "$(date) | Port $PORT/$PROTO is already disabled." + echo "$(date) | Inbound port $PORT/$PROTO is already disabled." else - echo "$(date) | Disabling port $PORT/$PROTO permanently..." + echo "$(date) | Disabling inbound port $PORT/$PROTO permanently..." # Append the rule to /etc/pf.conf echo "$RULE" | sudo tee -a $PF_CONF > /dev/null @@ -149,13 +197,13 @@ port137_139_udp() { pfctl -f $PF_CONF >/dev/null 2>&1 pfctl -E >/dev/null 2>&1 - echo "$(date) | Port ${PORT[*]}/$PROTO have been disabled permanently." + echo "$(date) | Inbound port ${PORT[*]}/$PROTO have been disabled permanently." fi done } -# Function for blocking Port Number 445 TCP -port445_tcp() { +# Function for blocking inbound Port Number 445 TCP +port445_in_tcp() { PORT=445 PROTO="tcp" RULE="block in proto $PROTO from any to any port $PORT" @@ -163,9 +211,9 @@ port445_tcp() { # Check if the rule already exists in /etc/pf.conf if grep -q "$RULE" $PF_CONF; then - echo "$(date) | Port $PORT/$PROTO is already disabled." + echo "$(date) | Inbound port $PORT/$PROTO is already disabled." else - echo "$(date) | Disabling port $PORT/$PROTO permanently..." + echo "$(date) | Disabling inbound port $PORT/$PROTO permanently..." # Append the rule to /etc/pf.conf echo "$RULE" | tee -a $PF_CONF > /dev/null @@ -174,12 +222,12 @@ port445_tcp() { pfctl -f $PF_CONF >/dev/null 2>&1 pfctl -E >/dev/null 2>&1 - echo "$(date) | Port $PORT/$PROTO has been disabled permanently." + echo "$(date) | Inbound port $PORT/$PROTO has been disabled permanently." fi } -# Function for blocking Port Numbers 1433-1434 TCP -port1433_1434_tcp() { +# Function for blocking inbound Port Numbers 1433-1434 TCP +port1433_1434_in_tcp() { PORTS=(1433 1434) PROTO="tcp" PF_CONF="/etc/pf.conf" @@ -188,9 +236,9 @@ port1433_1434_tcp() { for PORT in "${PORTS[@]}"; do RULE="block in proto $PROTO from any to any port $PORT" if grep -q "$RULE" $PF_CONF; then - echo "$(date) | Port $PORT/$PROTO is already disabled." + echo "$(date) | Inbound port $PORT/$PROTO is already disabled." else - echo "$(date) | Disabling port $PORT/$PROTO permanently..." + echo "$(date) | Disabling inbound port $PORT/$PROTO permanently..." # Append the rule to /etc/pf.conf echo "$RULE" | sudo tee -a $PF_CONF > /dev/null @@ -199,13 +247,13 @@ port1433_1434_tcp() { pfctl -f $PF_CONF >/dev/null 2>&1 pfctl -E >/dev/null 2>&1 - echo "$(date) | Port ${PORT[*]}/$PROTO have been disabled permanently." + echo "$(date) | Inbound port ${PORT[*]}/$PROTO have been disabled permanently." fi done } -# Function for blocking Port Numbers 1433-1434 UDP -port1433_1434_udp() { +# Function for blocking inbound Port Numbers 1433-1434 UDP +port1433_1434_in_udp() { PORTS=(1433 1434) PROTO="udp" PF_CONF="/etc/pf.conf" @@ -214,9 +262,9 @@ port1433_1434_udp() { for PORT in "${PORTS[@]}"; do RULE="block in proto $PROTO from any to any port $PORT" if grep -q "$RULE" $PF_CONF; then - echo "$(date) | Port $PORT/$PROTO is already disabled." + echo "$(date) | Inbound port $PORT/$PROTO is already disabled." else - echo "$(date) | Disabling port $PORT/$PROTO permanently..." + echo "$(date) | Disabling inbound port $PORT/$PROTO permanently..." # Append the rule to /etc/pf.conf echo "$RULE" | sudo tee -a $PF_CONF > /dev/null @@ -225,13 +273,13 @@ port1433_1434_udp() { pfctl -f $PF_CONF >/dev/null 2>&1 pfctl -E >/dev/null 2>&1 - echo "$(date) | Port ${PORT[*]}/$PROTO have been disabled permanently." + echo "$(date) | Inbound port ${PORT[*]}/$PROTO have been disabled permanently." fi done } -# Function for blocking Port Number 3389 TCP -port3389_tcp() { +# Function for blocking inbound Port Number 3389 TCP +port3389_in_tcp() { PORT=3389 PROTO="tcp" RULE="block in proto $PROTO from any to any port $PORT" @@ -239,9 +287,9 @@ port3389_tcp() { # Check if the rule already exists in /etc/pf.conf if grep -q "$RULE" $PF_CONF; then - echo "$(date) | Port $PORT/$PROTO is already disabled." + echo "$(date) | Inbound port $PORT/$PROTO is already disabled." else - echo "$(date) | Disabling port $PORT/$PROTO permanently..." + echo "$(date) | Disabling inbound port $PORT/$PROTO permanently..." # Append the rule to /etc/pf.conf echo "$RULE" | tee -a $PF_CONF > /dev/null @@ -250,12 +298,12 @@ port3389_tcp() { pfctl -f $PF_CONF >/dev/null 2>&1 pfctl -E >/dev/null 2>&1 - echo "$(date) | Port $PORT/$PROTO has been disabled permanently." + echo "$(date) | Inbound port $PORT/$PROTO has been disabled permanently." fi } -# Function for blocking Port Number 1900 UDP -port1900_udp() { +# Function for blocking inbound Port Number 1900 UDP +port1900_in_udp() { PORT=1900 PROTO="udp" RULE="block in proto $PROTO from any to any port $PORT" @@ -263,9 +311,9 @@ port1900_udp() { # Check if the rule already exists in /etc/pf.conf if grep -q "$RULE" $PF_CONF; then - echo "$(date) | Port $PORT/$PROTO is already disabled." + echo "$(date) | Inbound port $PORT/$PROTO is already disabled." else - echo "$(date) | Disabling port $PORT/$PROTO permanently..." + echo "$(date) | Disabling inbound port $PORT/$PROTO permanently..." # Append the rule to /etc/pf.conf echo "$RULE" | tee -a $PF_CONF > /dev/null @@ -274,12 +322,12 @@ port1900_udp() { pfctl -f $PF_CONF >/dev/null 2>&1 pfctl -E >/dev/null 2>&1 - echo "$(date) | Port $PORT/$PROTO has been disabled permanently." + echo "$(date) | Inbound port $PORT/$PROTO has been disabled permanently." fi } -# Function for blocking Port Numbers 20-21 TCP -port20_21_tcp() { +# Function for blocking inbound Port Numbers 20-21 TCP +port20_21_in_tcp() { PORTS=(20 21) PROTO="tcp" PF_CONF="/etc/pf.conf" @@ -288,9 +336,9 @@ port20_21_tcp() { for PORT in "${PORTS[@]}"; do RULE="block in proto $PROTO from any to any port $PORT" if grep -q "$RULE" $PF_CONF; then - echo "$(date) | Port $PORT/$PROTO is already disabled." + echo "$(date) | Inbound port $PORT/$PROTO is already disabled." else - echo "$(date) | Disabling port $PORT/$PROTO permanently..." + echo "$(date) | Disabling inbound port $PORT/$PROTO permanently..." # Append the rule to /etc/pf.conf echo "$RULE" | sudo tee -a $PF_CONF > /dev/null @@ -299,13 +347,13 @@ port20_21_tcp() { pfctl -f $PF_CONF >/dev/null 2>&1 pfctl -E >/dev/null 2>&1 - echo "$(date) | Port ${PORT[*]}/$PROTO have been disabled permanently." + echo "$(date) | Inbound port ${PORT[*]}/$PROTO have been disabled permanently." fi done } -# Function for blocking Port Numbers 20-21 UDP -port20_21_udp() { +# Function for blocking inbound Port Numbers 20-21 UDP +port20_21_in_udp() { PORTS=(20 21) PROTO="udp" PF_CONF="/etc/pf.conf" @@ -314,9 +362,9 @@ port20_21_udp() { for PORT in "${PORTS[@]}"; do RULE="block in proto $PROTO from any to any port $PORT" if grep -q "$RULE" $PF_CONF; then - echo "$(date) | Port $PORT/$PROTO is already disabled." + echo "$(date) | Inbound port $PORT/$PROTO is already disabled." else - echo "$(date) | Disabling port $PORT/$PROTO permanently..." + echo "$(date) | Disabling inbound port $PORT/$PROTO permanently..." # Append the rule to /etc/pf.conf echo "$RULE" | sudo tee -a $PF_CONF > /dev/null @@ -325,13 +373,13 @@ port20_21_udp() { pfctl -f $PF_CONF >/dev/null 2>&1 pfctl -E >/dev/null 2>&1 - echo "$(date) | Port ${PORT[*]}/$PROTO have been disabled permanently." + echo "$(date) | Inbound port ${PORT[*]}/$PROTO have been disabled permanently." fi done } -# Function for blocking Port Number 23 TCP -port23_tcp() { +# Function for blocking inbound Port Number 23 TCP +port23_in_tcp() { PORT=23 PROTO="tcp" RULE="block in proto $PROTO from any to any port $PORT" @@ -339,9 +387,9 @@ port23_tcp() { # Check if the rule already exists in /etc/pf.conf if grep -q "$RULE" $PF_CONF; then - echo "$(date) | Port $PORT/$PROTO is already disabled." + echo "$(date) | Inbound port $PORT/$PROTO is already disabled." else - echo "$(date) | Disabling port $PORT/$PROTO permanently..." + echo "$(date) | Disabling inbound port $PORT/$PROTO permanently..." # Append the rule to /etc/pf.conf echo "$RULE" | tee -a $PF_CONF > /dev/null @@ -350,7 +398,103 @@ port23_tcp() { pfctl -f $PF_CONF >/dev/null 2>&1 pfctl -E >/dev/null 2>&1 - echo "$(date) | Port $PORT/$PROTO has been disabled permanently." + echo "$(date) | Inbound port $PORT/$PROTO has been disabled permanently." + fi +} + +# Function for blocking outbound Port Number 110 TCP +port110_out_tcp() { + PORT=110 + PROTO="tcp" + RULE="block out proto $PROTO from any to any port $PORT" + PF_CONF="/etc/pf.conf" + + # Check if the rule already exists in /etc/pf.conf + if grep -q "$RULE" $PF_CONF; then + echo "$(date) | Outbound port $PORT/$PROTO is already disabled." + else + echo "$(date) | Disabling outbound port $PORT/$PROTO permanently..." + + # Append the rule to /etc/pf.conf + echo "$RULE" | tee -a $PF_CONF > /dev/null + + # Reload pf rules + pfctl -f $PF_CONF >/dev/null 2>&1 + pfctl -E >/dev/null 2>&1 + + echo "$(date) | Outbound port $PORT/$PROTO has been disabled permanently." + fi +} + +# Function for blocking outbound Port Number 995 TCP +port995_out_tcp() { + PORT=995 + PROTO="tcp" + RULE="block out proto $PROTO from any to any port $PORT" + PF_CONF="/etc/pf.conf" + + # Check if the rule already exists in /etc/pf.conf + if grep -q "$RULE" $PF_CONF; then + echo "$(date) | Outbound port $PORT/$PROTO is already disabled." + else + echo "$(date) | Disabling outbound port $PORT/$PROTO permanently..." + + # Append the rule to /etc/pf.conf + echo "$RULE" | tee -a $PF_CONF > /dev/null + + # Reload pf rules + pfctl -f $PF_CONF >/dev/null 2>&1 + pfctl -E >/dev/null 2>&1 + + echo "$(date) | Outbound port $PORT/$PROTO has been disabled permanently." + fi +} + +# Function for blocking outbound Port Number 143 TCP +port143_out_tcp() { + PORT=143 + PROTO="tcp" + RULE="block out proto $PROTO from any to any port $PORT" + PF_CONF="/etc/pf.conf" + + # Check if the rule already exists in /etc/pf.conf + if grep -q "$RULE" $PF_CONF; then + echo "$(date) | Outbound port $PORT/$PROTO is already disabled." + else + echo "$(date) | Disabling outbound port $PORT/$PROTO permanently..." + + # Append the rule to /etc/pf.conf + echo "$RULE" | tee -a $PF_CONF > /dev/null + + # Reload pf rules + pfctl -f $PF_CONF >/dev/null 2>&1 + pfctl -E >/dev/null 2>&1 + + echo "$(date) | Outbound port $PORT/$PROTO has been disabled permanently." + fi +} + +# Function for blocking outbound Port Number 993 TCP +port993_out_tcp() { + PORT=993 + PROTO="tcp" + RULE="block out proto $PROTO from any to any port $PORT" + PF_CONF="/etc/pf.conf" + + # Check if the rule already exists in /etc/pf.conf + if grep -q "$RULE" $PF_CONF; then + echo "$(date) | Outbound port $PORT/$PROTO is already disabled." + else + echo "$(date) | Disabling outbound port $PORT/$PROTO permanently..." + + # Append the rule to /etc/pf.conf + echo "$RULE" | tee -a $PF_CONF > /dev/null + + # Reload pf rules + pfctl -f $PF_CONF >/dev/null 2>&1 + pfctl -E >/dev/null 2>&1 + + echo "$(date) | Outbound port $PORT/$PROTO has been disabled permanently." fi } @@ -364,93 +508,124 @@ echo "# $(date) | Starting running of script $appname" echo "############################################################" echo "" +# Check device ownership +check_device_ownership + # Backup cp.conf backup -# Disable Port Number 135 TCP -if [ "$port135_tcp" = true ]; then - port135_tcp +# Disable inbound Port Number 135 TCP +if [ "$port135_in_tcp" = true ]; then + port135_in_tcp +else + echo "$(date) | Skipping disabling inbound Port Number 135 TCP..." +fi + +# Disable inbound Port Number 135 UDP +if [ "$port135_in_udp" = true ]; then + port135_in_udp +else + echo "$(date) | Skipping disabling inbound Port Number 135 UDP..." +fi + +# Disable inbound Port Numbers 137-139 TCP +if [ "$port137_139_in_tcp" = true ]; then + port137_139_in_tcp +else + echo "$(date) | Skipping disabling inbound Port Numbers 137-139 TCP..." +fi + +# Disable inbound Port Numbers 137-139 UDP +if [ "$port137_139_in_udp" = true ]; then + port137_139_in_udp +else + echo "$(date) | Skipping disabling inbound Port Numbers 137-139 UDP..." +fi + +# Disable inbound Port Number 445 TCP +if [ "$port445_in_tcp" = true ]; then + port445_in_tcp else - echo "$(date) | Skipping disabling Port Number 135 TCP..." + echo "$(date) | Skipping disabling inbound Port Number 445 TCP..." fi -# Disable Port Number 135 UDP -if [ "$port135_udp" = true ]; then - port135_udp +# Disable inbound Port Numbers 1433-1434 TCP +if [ "$port1433_1434_in_tcp" = true ]; then + port1433_1434_in_tcp else - echo "$(date) | Skipping disabling Port Number 135 UDP..." + echo "$(date) | Skipping disabling inbound Port Numbers 1433-1434 TCP..." fi -# Disable Port Numbers 137-139 TCP -if [ "$port137_139_tcp" = true ]; then - port137_139_tcp +# Disable inbound Port Numbers 1433-1434 UDP +if [ "$port1433_1434_in_udp" = true ]; then + port1433_1434_in_udp else - echo "$(date) | Skipping disabling Port Numbers 137-139 TCP..." + echo "$(date) | Skipping disabling inbound Port Numbers 1433-1434 UDP..." fi -# Disable Port Numbers 137-139 UDP -if [ "$port137_139_udp" = true ]; then - port137_139_udp +# Disable inbound Port Number 3389 TCP +if [ "$port3389_in_tcp" = true ]; then + port3389_in_tcp else - echo "$(date) | Skipping disabling Port Numbers 137-139 UDP..." + echo "$(date) | Skipping disabling inbound Port Number 3389 TCP..." fi -# Disable Port Number 445 TCP -if [ "$port445_tcp" = true ]; then - port445_tcp +# Disable inbound Port Number 1900 UDP +if [ "$port1900_in_udp" = true ]; then + port1900_in_udp else - echo "$(date) | Skipping disabling Port Number 445 TCP..." + echo "$(date) | Skipping disabling inbound Port Number 1900 UDP..." fi -# Disable Port Numbers 1433-1434 TCP -if [ "$port1433_1434_tcp" = true ]; then - port1433_1434_tcp +# Disable inbound Port Numbers 20-21 TCP +if [ "$port20_21_in_tcp" = true ]; then + port20_21_in_tcp else - echo "$(date) | Skipping disabling Port Numbers 1433-1434 TCP..." + echo "$(date) | Skipping disabling inbound Port Numbers 120-21 TCP..." fi -# Disable Port Numbers 1433-1434 UDP -if [ "$port1433_1434_udp" = true ]; then - port1433_1434_udp +# Disable inbound Port Numbers 20-21 UDP +if [ "$port20_21_in_udp" = true ]; then + port20_21_in_udp else - echo "$(date) | Skipping disabling Port Numbers 1433-1434 UDP..." + echo "$(date) | Skipping disabling inbound Port Numbers 20-21 UDP..." fi -# Disable Port Number 3389 TCP -if [ "$port3389_tcp" = true ]; then - port3389_tcp +# Disable inbound Port Number 23 TCP +if [ "$port23_in_tcp" = true ]; then + port23_in_tcp else - echo "$(date) | Skipping disabling Port Number 3389 TCP..." + echo "$(date) | Skipping disabling inbound Port Number 23 TCP..." fi -# Disable Port Number 1900 UDP -if [ "$port1900_udp" = true ]; then - port1900_udp +# Disable outbound Port Number 110 TCP +if [ "$port110_out_tcp" = true ]; then + port110_out_tcp else - echo "$(date) | Skipping disabling Port Number 1900 UDP..." + echo "$(date) | Skipping disabling outbound Port Number TCP 110..." fi -# Disable Port Numbers 20-21 TCP -if [ "$port20_21_tcp" = true ]; then - port20_21_tcp +# Disable outbound Port Number 995 TCP +if [ "$port995_out_tcp" = true ]; then + port995_out_tcp else - echo "$(date) | Skipping disabling Port Numbers 120-21 TCP..." + echo "$(date) | Skipping disabling outbound Port Number TCP 995..." fi -# Disable Port Numbers 20-21 UDP -if [ "$port20_21_udp" = true ]; then - port20_21_udp +# Disable outbound Port Number 143 TCP +if [ "$port143_out_tcp" = true ]; then + port143_out_tcp else - echo "$(date) | Skipping disabling Port Numbers 20-21 UDP..." + echo "$(date) | Skipping disabling outbound Port Number TCP 143..." fi -# Disable Port Number 23 TCP -if [ "$port23_tcp" = true ]; then - port23_tcp +# Disable outbound Port Number 993 TCP +if [ "$port993_out_tcp" = true ]; then + port993_out_tcp else - echo "$(date) | Skipping disabling Port Number 23 TCP..." + echo "$(date) | Skipping disabling outbound Port Number TCP 993..." fi # Closing script echo "$(date) | Done. Closing script..." -exit 0 \ No newline at end of file +exit 0 diff --git a/macOS/Config/Firewall/Block Selected Port Numbers from macOS Firewall/README.md b/macOS/Config/Firewall/Block Selected Port Numbers from macOS Firewall/README.md index 0cb849c3..0d7da678 100644 --- a/macOS/Config/Firewall/Block Selected Port Numbers from macOS Firewall/README.md +++ b/macOS/Config/Firewall/Block Selected Port Numbers from macOS Firewall/README.md @@ -1,20 +1,24 @@ # Block Selected Port Numbers from macOS Firewall -This custom script blocks following port numbers from macOS Firewall: +This custom script blocks the following port numbers from macOS Firewall: - Port Number| Port | More information | -| -------- | ------- | -------- | -| 135 (TCP) | Remote Procedure Call (RPC) Endpoint Mapper service | Blocks Port Number 135 TCP used by Microsoft RPC, which can be exploited for remote code execution. | -| 135 (UDP) | Remote Procedure Call (RPC) Endpoint Mapper service | Blocks Port Number 135 UDP used by Microsoft RPC, which can be exploited for remote code execution. | -| 137-139 (TCP) | NetBIOS and Windows Internet Naming Service (WINS)| Blocks Port Numbers 137-139 TCP used by NetBIOS and WINS, which can be a vector for various attacks. | -| 137-139 (UDP) | NetBIOS and Windows Internet Naming Service (WINS) | Blocks Port Numbers 137-139 UDP used by NetBIOS and WINS, which can be a vector for various attacks. | -| 445 (TCP) | Microsoft SMB Domain Server / Microsoft-DS (Active Directory, Windows shares)| Blocks Port Number 445 TCP used by Microsoft SMB Domain Server / Microsoft-DS (Active Directory, Windows shares), which is often targeted by malware. | -| 1433-1434 (TCP) | Microsoft SQL Server | Blocks Port Numbers 1433-1434 TCP used by Microsoft SQL Server, which can be exploited if not properly secured. | -| 1433-1434 (UDP) | Microsoft SQL Server | Blocks Port Numbers 1433-1434 UDP used by Microsoft SQL Server, which can be exploited if not properly secured. | -| 3389 (TCP) | Remote Desktop Protocol (RDP) | Blocks Port Number 3389 TCP used by Remote Desktop Protocol (RDP), which is common target for brute force attacks. | -| 1900 (UDP) | SSDP, Universal Plug and Play (UPnP), Bonjour| Blocks Port Number 1900 UDP used by SSDP, Universal Plug and Play (UPnP) and Bonjour, which can be exploited for network discovery and attacks. | -| 20-21 (TCP) | FTP | Blocks Port Numbers 20-21 TCP used by FTP, which can be insecure if not properly configured. | -| 20-21 (UDP) | FTP | Blocks Port Numbers 20-21 UDP used by FTP, which can be insecure if not properly configured. | -| 23 (TCP) | Telnet | Blocks Port Numbers 23 TCP used by Telnet, which transmits data in plaintext and is insecure. | + Port Number| Direction | Port | More information | +| -------- | ---------- | ------- | -------- | +| 135 (TCP) | Inbound | Remote Procedure Call (RPC) Endpoint Mapper service | Blocks Port Number 135 TCP used by Microsoft RPC, which can be exploited for remote code execution. | +| 135 (UDP) | Inbound | Remote Procedure Call (RPC) Endpoint Mapper service | Blocks Port Number 135 UDP used by Microsoft RPC, which can be exploited for remote code execution. | +| 137-139 (TCP) | Inbound | NetBIOS and Windows Internet Naming Service (WINS)| Blocks Port Numbers 137-139 TCP used by NetBIOS and WINS, which can be a vector for various attacks. | +| 137-139 (UDP) | Inbound | NetBIOS and Windows Internet Naming Service (WINS) | Blocks Port Numbers 137-139 UDP used by NetBIOS and WINS, which can be a vector for various attacks. | +| 445 (TCP) | Inbound | Microsoft SMB Domain Server / Microsoft-DS (Active Directory, Windows shares)| Blocks Port Number 445 TCP used by Microsoft SMB Domain Server / Microsoft-DS (Active Directory, Windows shares), which is often targeted by malware. | +| 1433-1434 (TCP) | Inbound | Microsoft SQL Server | Blocks Port Numbers 1433-1434 TCP used by Microsoft SQL Server, which can be exploited if not properly secured. | +| 1433-1434 (UDP) | Inbound | Microsoft SQL Server | Blocks Port Numbers 1433-1434 UDP used by Microsoft SQL Server, which can be exploited if not properly secured. | +| 3389 (TCP) | Inbound | Remote Desktop Protocol (RDP) | Blocks Port Number 3389 TCP used by Remote Desktop Protocol (RDP), which is common target for brute force attacks. | +| 1900 (UDP) | Inbound | SSDP, Universal Plug and Play (UPnP), Bonjour| Blocks Port Number 1900 UDP used by SSDP, Universal Plug and Play (UPnP) and Bonjour, which can be exploited for network discovery and attacks. | +| 20-21 (TCP) | Inbound | FTP | Blocks Port Numbers 20-21 TCP used by FTP, which can be insecure if not properly configured. | +| 20-21 (UDP) | Inbound | FTP | Blocks Port Numbers 20-21 UDP used by FTP, which can be insecure if not properly configured. | +| 23 (TCP) | Inbound | Telnet | Blocks Port Number 23 TCP used by Telnet, which transmits data in plaintext and is insecure. | +| 110 (TCP) | Outbound | Post Office Protocol version 3 (POP3) | Blocks outbound TCP port 110 used by POP3 to prevent retrieval of email via POP3 clients. | +| 995 (TCP) | Outbound | Post Office Protocol version 3 over SSL/TLS (POP3S) | Blocks outbound TCP port 995 used by secure POP3 to prevent retrieval of email via POP3 clients. | +| 143 (TCP) | Outbound | Internet Message Access Protocol (IMAP) | Blocks outbound TCP port 143 used by IMAP to prevent retrieval of email via IMAP clients. | +| 993 (TCP) | Outbound | Internet Message Access Protocol over SSL/TLS (IMAPS) | Blocks outbound TCP port 993 used by secure IMAP to prevent retrieval of email via IMAP clients. | > [!IMPORTANT] > Please note that there is a possibility that your Managed Mac-device may not use some of these port numbers or services above. Some of the services may also heavily related only to Windows-environment e.g. Remote Procedure Call (RPC) Endpoint Mapper service or Microsoft SQL Server. This script have been created in order to block these port numbers that are, in general, and usually used for malicious purposes. @@ -30,6 +34,15 @@ This custom script blocks following port numbers from macOS Firewall: | 137-139 (TCP & UDP) | NetBIOS and Windows Internet Naming Service (WINS) | [Disable SMB 1, NetBIOS and netbiosd](https://github.com/microsoft/shell-intune-samples/tree/master/macOS/Config/Disable%20SMB%201%2C%20NetBIOS%20and%20netbiosd) | Disables NetBIOS and WINS. | | 1900 (UDP) | Bonjour | [Disable Bonjour Advertising Services](https://github.com/microsoft/shell-intune-samples/tree/master/macOS/Config/Disable%20Bonjour%20Advertising%20Services) | Disables Bonjour Advertising Services. | +### Define device ownership + +Before deploying this script, you also need to define value to `ownership` variable of the devices, where do you want to deploy this script. The `ownership` variable can be found from line number 23. Available ownership values are: + +| Device Ownership | Value | More information +| -------- | ------- | -------- | +| Bring Your Own Device (BYOD) | byod | Use this value if you need to deploy this script to personal devices, that are not owned by your company. +| Corporate | corporate | Use this value if you need to deploy the script only to corporate devices. **NOTE:** Corporate-devices must be managed by Apple Business Manager. +| Bring Your Own Device (BYOD) **and** Corporate | all | Use this value if you want to deploy script to all devices ownership types. ## Script workflow diagram @@ -51,50 +64,58 @@ The log file will output to ***/Library/Logs/Microsoft/IntuneScripts/FirewallBlo ``` ############################################################## -# Sat Mar 8 16:43:51 EET 2025 | Starting running of script FirewallBlockPortNumbers +# Fri Aug 8 23:59:33 EEST 2025 | Starting running of script FirewallBlockPortNumbers ############################################################ -Sat Mar 8 16:43:51 EET 2025 | Backing up firewall configurations... -Sat Mar 8 16:43:51 EET 2025 | Done. -Sat Mar 8 16:43:51 EET 2025 | Disabling port 135/tcp permanently... -Sat Mar 8 16:43:51 EET 2025 | Port 135/tcp has been disabled permanently. -Sat Mar 8 16:43:51 EET 2025 | Disabling port 135/udp permanently... -Sat Mar 8 16:43:51 EET 2025 | Port 135/udp has been disabled permanently. -Sat Mar 8 16:43:51 EET 2025 | Disabling port 137/tcp permanently... -Sat Mar 8 16:43:51 EET 2025 | Port 137/tcp have been disabled permanently. -Sat Mar 8 16:43:51 EET 2025 | Disabling port 138/tcp permanently... -Sat Mar 8 16:43:51 EET 2025 | Port 138/tcp have been disabled permanently. -Sat Mar 8 16:43:51 EET 2025 | Disabling port 139/tcp permanently... -Sat Mar 8 16:43:51 EET 2025 | Port 139/tcp have been disabled permanently. -Sat Mar 8 16:43:51 EET 2025 | Disabling port 137/udp permanently... -Sat Mar 8 16:43:51 EET 2025 | Port 137/udp have been disabled permanently. -Sat Mar 8 16:43:51 EET 2025 | Disabling port 138/udp permanently... -Sat Mar 8 16:43:51 EET 2025 | Port 138/udp have been disabled permanently. -Sat Mar 8 16:43:51 EET 2025 | Disabling port 139/udp permanently... -Sat Mar 8 16:43:51 EET 2025 | Port 139/udp have been disabled permanently. -Sat Mar 8 16:43:51 EET 2025 | Disabling port 445/tcp permanently... -Sat Mar 8 16:43:51 EET 2025 | Port 445/tcp has been disabled permanently. -Sat Mar 8 16:43:51 EET 2025 | Disabling port 1433/tcp permanently... -Sat Mar 8 16:43:51 EET 2025 | Port 1433/tcp have been disabled permanently. -Sat Mar 8 16:43:51 EET 2025 | Disabling port 1434/tcp permanently... -Sat Mar 8 16:43:51 EET 2025 | Port 1434/tcp have been disabled permanently. -Sat Mar 8 16:43:51 EET 2025 | Disabling port 1433/udp permanently... -Sat Mar 8 16:43:52 EET 2025 | Port 1433/udp have been disabled permanently. -Sat Mar 8 16:43:52 EET 2025 | Disabling port 1434/udp permanently... -Sat Mar 8 16:43:52 EET 2025 | Port 1434/udp have been disabled permanently. -Sat Mar 8 16:43:52 EET 2025 | Disabling port 3389/tcp permanently... -Sat Mar 8 16:43:52 EET 2025 | Port 3389/tcp has been disabled permanently. -Sat Mar 8 16:43:52 EET 2025 | Disabling port 1900/udp permanently... -Sat Mar 8 16:43:52 EET 2025 | Port 1900/udp has been disabled permanently. -Sat Mar 8 16:43:52 EET 2025 | Disabling port 20/tcp permanently... -Sat Mar 8 16:43:52 EET 2025 | Port 20/tcp have been disabled permanently. -Sat Mar 8 16:43:52 EET 2025 | Disabling port 21/tcp permanently... -Sat Mar 8 16:43:52 EET 2025 | Port 21/tcp have been disabled permanently. -Sat Mar 8 16:43:52 EET 2025 | Disabling port 20/udp permanently... -Sat Mar 8 16:43:52 EET 2025 | Port 20/udp have been disabled permanently. -Sat Mar 8 16:43:52 EET 2025 | Disabling port 21/udp permanently... -Sat Mar 8 16:43:52 EET 2025 | Port 21/udp have been disabled permanently. -Sat Mar 8 16:43:52 EET 2025 | Disabling port 23/tcp permanently... -Sat Mar 8 16:43:52 EET 2025 | Port 23/tcp has been disabled permanently. -Sat Mar 8 16:43:52 EET 2025 | Done. Closing script... +Fri Aug 8 23:59:33 EEST 2025 | Backing up firewall configurations... +Fri Aug 8 23:59:33 EEST 2025 | Done. +Fri Aug 8 23:59:34 EEST 2025 | Disabling inbound port 135/tcp permanently... +Fri Aug 8 23:59:34 EEST 2025 | Inbound port 135/tcp has been disabled permanently. +Fri Aug 8 23:59:34 EEST 2025 | Disabling inbound port 135/udp permanently... +Fri Aug 8 23:59:34 EEST 2025 | Inbound port 135/udp has been disabled permanently. +Fri Aug 8 23:59:34 EEST 2025 | Disabling inbound port 137/tcp permanently... +Fri Aug 8 23:59:34 EEST 2025 | Inbound port 137/tcp have been disabled permanently. +Fri Aug 8 23:59:34 EEST 2025 | Disabling inbound port 138/tcp permanently... +Fri Aug 8 23:59:35 EEST 2025 | Inbound port 138/tcp have been disabled permanently. +Fri Aug 8 23:59:35 EEST 2025 | Disabling inbound port 139/tcp permanently... +Fri Aug 8 23:59:35 EEST 2025 | Inbound port 139/tcp have been disabled permanently. +Fri Aug 8 23:59:35 EEST 2025 | Disabling inbound port 137/udp permanently... +Fri Aug 8 23:59:35 EEST 2025 | Inbound port 137/udp have been disabled permanently. +Fri Aug 8 23:59:35 EEST 2025 | Disabling inbound port 138/udp permanently... +Fri Aug 8 23:59:35 EEST 2025 | Inbound port 138/udp have been disabled permanently. +Fri Aug 8 23:59:35 EEST 2025 | Disabling inbound port 139/udp permanently... +Fri Aug 8 23:59:35 EEST 2025 | Inbound port 139/udp have been disabled permanently. +Fri Aug 8 23:59:35 EEST 2025 | Disabling inbound port 445/tcp permanently... +Fri Aug 8 23:59:35 EEST 2025 | Inbound port 445/tcp has been disabled permanently. +Fri Aug 8 23:59:35 EEST 2025 | Disabling inbound port 1433/tcp permanently... +Fri Aug 8 23:59:35 EEST 2025 | Inbound port 1433/tcp have been disabled permanently. +Fri Aug 8 23:59:35 EEST 2025 | Disabling inbound port 1434/tcp permanently... +Fri Aug 8 23:59:35 EEST 2025 | Inbound port 1434/tcp have been disabled permanently. +Fri Aug 8 23:59:35 EEST 2025 | Disabling inbound port 1433/udp permanently... +Fri Aug 8 23:59:35 EEST 2025 | Inbound port 1433/udp have been disabled permanently. +Fri Aug 8 23:59:35 EEST 2025 | Disabling inbound port 1434/udp permanently... +Fri Aug 8 23:59:35 EEST 2025 | Inbound port 1434/udp have been disabled permanently. +Fri Aug 8 23:59:35 EEST 2025 | Disabling inbound port 3389/tcp permanently... +Fri Aug 8 23:59:35 EEST 2025 | Inbound port 3389/tcp has been disabled permanently. +Fri Aug 8 23:59:35 EEST 2025 | Disabling inbound port 1900/udp permanently... +Fri Aug 8 23:59:35 EEST 2025 | Inbound port 1900/udp has been disabled permanently. +Fri Aug 8 23:59:35 EEST 2025 | Disabling inbound port 20/tcp permanently... +Fri Aug 8 23:59:35 EEST 2025 | Inbound port 20/tcp have been disabled permanently. +Fri Aug 8 23:59:35 EEST 2025 | Disabling inbound port 21/tcp permanently... +Fri Aug 8 23:59:35 EEST 2025 | Inbound port 21/tcp have been disabled permanently. +Fri Aug 8 23:59:35 EEST 2025 | Disabling inbound port 20/udp permanently... +Fri Aug 8 23:59:35 EEST 2025 | Inbound port 20/udp have been disabled permanently. +Fri Aug 8 23:59:35 EEST 2025 | Disabling inbound port 21/udp permanently... +Fri Aug 8 23:59:35 EEST 2025 | Inbound port 21/udp have been disabled permanently. +Fri Aug 8 23:59:35 EEST 2025 | Disabling inbound port 23/tcp permanently... +Fri Aug 8 23:59:35 EEST 2025 | Inbound port 23/tcp has been disabled permanently. +Fri Aug 8 23:59:35 EEST 2025 | Disabling outbound port 110/tcp permanently... +Fri Aug 8 23:59:35 EEST 2025 | Outbound port 110/tcp has been disabled permanently. +Fri Aug 8 23:59:35 EEST 2025 | Disabling outbound port 995/tcp permanently... +Fri Aug 8 23:59:35 EEST 2025 | Outbound port 995/tcp has been disabled permanently. +Fri Aug 8 23:59:35 EEST 2025 | Disabling outbound port 143/tcp permanently... +Fri Aug 8 23:59:35 EEST 2025 | Outbound port 143/tcp has been disabled permanently. +Fri Aug 8 23:59:35 EEST 2025 | Disabling outbound port 993/tcp permanently... +Fri Aug 8 23:59:35 EEST 2025 | Outbound port 993/tcp has been disabled permanently. +Fri Aug 8 23:59:35 EEST 2025 | Done. Closing script... ``` diff --git a/macOS/Config/Uninstall Apple Bloatware Apps/README.md b/macOS/Config/Uninstall Apple Bloatware Apps/README.md index 32f61c51..fa147543 100644 --- a/macOS/Config/Uninstall Apple Bloatware Apps/README.md +++ b/macOS/Config/Uninstall Apple Bloatware Apps/README.md @@ -19,13 +19,21 @@ The log file will output to ***/Library/Logs/Microsoft/IntuneScripts/UninstallAp ``` ############################################################## -# Sun Sep 15 14:29:37 EEST 2024 | Starting running of script DisableCreationOfDS_StoreFilesOnNetworkSharesAndRemovableDrives +# Sat Oct 18 21:51:19 EET 2025 | Starting running of script UninstallAppleBloatwareApps ############################################################ -Sun Sep 15 14:29:37 EEST 2024 | Checking if creation of '.DS_Store' -files have been disabled on network shares for user $USER... -Sun Sep 15 14:29:37 EEST 2024 | Creation of '.DS_Store' -files have been enabled on network shares for user $USER. Disabling it... -Sun Sep 15 14:29:37 EEST 2024 | Creation of '.DS_Store' -files have been disabled on network shares for user $USER. This change will take effect the next time when you log in to your Mac-device. Let's continue... -Sun Sep 15 14:29:37 EEST 2024 | Checking if creation of '.DS_Store' -files have been disabled on removable drives for user $USER... -Sun Sep 15 14:29:37 EEST 2024 | Creation of '.DS_Store' -files have been enabled on removable drives for user $USER. Disabling it... -Sun Sep 15 14:29:37 EEST 2024 | Creation of '.DS_Store' -files have been disabled on removable drives for user $USER. This change will take effect the next time when you log in to your Mac-device. All done! Closing script... +Sat Oct 18 21:51:19 EET 2025 | Checking MDM Profile Type +Enrolled via DEP: Yes +Sat Oct 18 21:51:20 EET 2025 | Device is ABM Managed +Sat Oct 18 21:51:20 EET 2025 | Uninstalling iMovie... +Sat Oct 18 21:51:22 EET 2025 | iMovie has been uninstalled. +Sat Oct 18 21:51:22 EET 2025 | Uninstalling GarageBand... +Sat Oct 18 21:51:24 EET 2025 | GarageBand has been uninstalled. +Sat Oct 18 21:51:24 EET 2025 | Uninstalling Pages... +Sat Oct 18 21:51:26 EET 2025 | Pages has been uninstalled. +Sat Oct 18 21:51:26 EET 2025 | Uninstalling Numbers... +Sat Oct 18 21:51:28 EET 2025 | Numbers has been uninstalled. +Sat Oct 18 21:51:28 EET 2025 | Uninstalling Keynote... +Sat Oct 18 21:51:30 EET 2025 | Keynote has been uninstalled. +Sat Oct 18 21:51:30 EET 2025 | Done. Closing script... ``` \ No newline at end of file diff --git a/macOS/Custom Profiles/Adobe Acrobat/Adobe Acrobat Updater - Full Disk Access/Adobe Acrobat Updater - Full Disk Access.mobileconfig b/macOS/Custom Profiles/Adobe Acrobat/Adobe Acrobat Updater - Full Disk Access/Adobe Acrobat Updater - Full Disk Access.mobileconfig new file mode 100644 index 00000000..774427b8 --- /dev/null +++ b/macOS/Custom Profiles/Adobe Acrobat/Adobe Acrobat Updater - Full Disk Access/Adobe Acrobat Updater - Full Disk Access.mobileconfig @@ -0,0 +1,59 @@ + + + + + PayloadContent + + + PayloadDescription + Allows Full Disk Access for Adobe Acrobat Updater + PayloadDisplayName + Adobe Acrobat Updater - Full Disk Access + PayloadIdentifier + 86B0119E-EDA6-4484-B02E-DD4418D468E0 + PayloadOrganization + Adobe + PayloadType + com.apple.TCC.configuration-profile-policy + PayloadUUID + 89DC68EF-1BF9-4B33-974E-D54ADDC81644 + PayloadVersion + 1 + Services + + SystemPolicyAllFiles + + + Allowed + + CodeRequirement + anchor apple generic and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD) + Comment + + Identifier + com.adobe.ARMDC + IdentifierType + bundleID + + + + + + PayloadDescription + Allows Full Disk Access for Adobe Acrobat Updater + PayloadDisplayName + Adobe Acrobat Updater - Full Disk Access + PayloadIdentifier + 86B0119E-EDA6-4484-B02E-DD4418D468E0 + PayloadOrganization + Adobe + PayloadScope + System + PayloadType + Configuration + PayloadUUID + E357B9BB-AE52-40F4-BE25-3B3D33327D87 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/macOS/Custom Profiles/Adobe Acrobat/Adobe Acrobat Updater - Full Disk Access/README.md b/macOS/Custom Profiles/Adobe Acrobat/Adobe Acrobat Updater - Full Disk Access/README.md new file mode 100644 index 00000000..7bf1f603 --- /dev/null +++ b/macOS/Custom Profiles/Adobe Acrobat/Adobe Acrobat Updater - Full Disk Access/README.md @@ -0,0 +1,10 @@ +# Adobe Acrobat Updater - Full Disk Access + +This Custom Profile is created to provide Adobe Acrobat Updater Full Disk Access so the application does not prompt anything extra such as following: + +![Screenshot](Screenshot.png) + +## Configuration settings for Intune +- **Custom configuration profile name:** *Adobe Acrobat Updater - Full Disk Access* +- **Deployment channel:** *Device Channel* +- **Configuration profile name:** *Adobe Acrobat Updater - Full Disk Access.mobileconfig* \ No newline at end of file diff --git a/macOS/Custom Profiles/Adobe Acrobat/Adobe Acrobat Updater - Full Disk Access/Screenshot.png b/macOS/Custom Profiles/Adobe Acrobat/Adobe Acrobat Updater - Full Disk Access/Screenshot.png new file mode 100644 index 00000000..371700e4 Binary files /dev/null and b/macOS/Custom Profiles/Adobe Acrobat/Adobe Acrobat Updater - Full Disk Access/Screenshot.png differ diff --git a/macOS/Custom Profiles/Docker Desktop/Docker Desktop - Sign-in Enforcement.mobileconfig b/macOS/Custom Profiles/Docker Desktop/Docker Desktop - Sign-in Enforcement.mobileconfig new file mode 100644 index 00000000..a93a9fc5 --- /dev/null +++ b/macOS/Custom Profiles/Docker Desktop/Docker Desktop - Sign-in Enforcement.mobileconfig @@ -0,0 +1,49 @@ + + + + + PayloadContent + + + PayloadType + com.docker.config + PayloadVersion + 1 + PayloadIdentifier + com.docker.config.0CFA8882-A499-497D-843C-4B3E4D91E506 + PayloadUUID + 819AA5FE-6212-4CB2-957C-19CE76732501 + PayloadDisplayName + Docker Desktop - Sign-in Enforcement + PayloadDescription + Configures sign-in enforcement to Docker Desktop + PayloadOrganization + Docker Inc. + PayloadEnabled + + allowedOrgs + first_org;second_org;third_org;fouth_org + + + PayloadType + Configuration + PayloadVersion + 1 + PayloadIdentifier + com.docker.config.B7EE7F6A-FDB8-4C10-B496-A2076205B13E + PayloadUUID + 37CCB805-2824-4A66-972A-92717C99BDC0 + PayloadDisplayName + Docker Desktop - Sign-in Enforcement + PayloadDescription + Configures sign-in enforcement to Docker Desktop + PayloadOrganization + Docker, Inc. + PayloadEnabled + + PayloadRemovalDisallowed + + PayloadScope + System + + diff --git a/macOS/Custom Profiles/Docker Desktop/README.md b/macOS/Custom Profiles/Docker Desktop/README.md new file mode 100644 index 00000000..d7ba9771 --- /dev/null +++ b/macOS/Custom Profiles/Docker Desktop/README.md @@ -0,0 +1,30 @@ +# Docker Desktop - Sign-in Enforcement +> [!NOTE] +> [This configuration profile is originated from Docker](https://docs.docker.com/enterprise/security/enforce-sign-in/methods/), that have been forked and further customized. + +This Custom Profile set sign-in enforcement to Docker Desktop. + +## Prerequisites +Before deploying this configuration profile, you need to do following prerequisites: + +1. [Read documentation](https://docs.docker.com/enterprise/security/enforce-sign-in/) from Docker regarding to sign-in enforcement. +2. From configuration profile, go to line 25 and replace placeholder organizations `first_org;second_org;third_org;fouth_org` with your real organization or organizations + +**Examples:** + +- If there is only one (1) organization: + ``` + allowedOrgs + contoso + ``` + +- If there are multiple organizations: + ``` + allowedOrgs + contoso;fabrikam;adatum;alpineskihouse + ``` + +## Configuration settings for Intune +- **Custom configuration profile name:** *Docker Desktop - Sign-in Enforcement* +- **Deployment channel:** *Device Channel* +- **Configuration profile name:** *Docker Desktop - Sign-in Enforcement.mobileconfig* diff --git a/macOS/Custom Profiles/Microsoft Edge/Force-Installed Web Apps/Microsoft Edge - Force-Installed Web Apps.mobileconfig b/macOS/Custom Profiles/Microsoft Edge/Force-Installed Web Apps/Microsoft Edge - Force-Installed Web Apps.mobileconfig new file mode 100644 index 00000000..5bda3d86 --- /dev/null +++ b/macOS/Custom Profiles/Microsoft Edge/Force-Installed Web Apps/Microsoft Edge - Force-Installed Web Apps.mobileconfig @@ -0,0 +1,67 @@ + + + + + PayloadUUID + B42ADBB5-1324-47FE-88EE-904405D73522 + PayloadType + Configuration + PayloadOrganization + Microsoft Corporation + PayloadIdentifier + 88E7984A-ABC1-46D7-8CC6-99C1B8E6D861 + PayloadDisplayName + Microsoft Edge - Force-Installed Web Apps + PayloadDescription + Installs Web Apps to Microsoft Edge + PayloadVersion + 1 + PayloadEnabled + + PayloadRemovalDisallowed + + PayloadScope + System + PayloadContent + + + PayloadUUID + 93A86AEE-4EE8-4A5B-A8D7-CDB5B9063110 + PayloadType + com.microsoft.Edge + PayloadOrganization + Microsoft Corporation + PayloadIdentifier + com.microsoft.Edge.93A86AEE-4EE8-4A5B-A8D7-CDB5B9063110 + PayloadDisplayName + Installs Web Apps to Microsoft Edge + PayloadDescription + + PayloadVersion + 1 + PayloadEnabled + + WebAppInstallForceList + + + create_desktop_shortcut + + default_launch_container + window + url + https://www.contoso.com/maps + + + WebAppSettings + + + manifest_id + https://www.contoso.com/maps + run_on_os_login + blocked + + + + + + \ No newline at end of file diff --git a/macOS/Custom Profiles/Microsoft Edge/Force-Installed Web Apps/README.md b/macOS/Custom Profiles/Microsoft Edge/Force-Installed Web Apps/README.md new file mode 100644 index 00000000..6be98a9d --- /dev/null +++ b/macOS/Custom Profiles/Microsoft Edge/Force-Installed Web Apps/README.md @@ -0,0 +1,17 @@ +# Force-Installed Web Apps for Microsoft Edge + +In corporate environments, you might come across situations where you need to deploy managed Web Apps to different user groups or regions. In such cases, you should not deploy Web Apps using your baseline policy, as it applies to all users. Instead, deploy managed Web Apps to specific user groups or regions using a custom profile. + +This custom profile provides an example of how to deploy managed Web Apps for Microsoft Edge to a specific user group or region. + +## Things You'll Need to Do +- In lines 52 and 59, replace the placeholder URL `https://www.contoso.com/maps` with the URL of your Web App. +- If you need to deploy multiple Web Apps or want to understand what the settings in this custom profile do (and what other options are available), refer to the Microsoft documentation and modify the custom policy as needed: + - **[WebAppInstallForceList](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-browser-policies/webappsettings)** + - **[WebAppSettings](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-browser-policies/webappsettings)** +- In Intune, deploy the custom profile to a specific security group that contains members of the desired user group or region. + +## Configuration Settings for Intune +- **Custom configuration profile name:** *Microsoft Edge - Force-Installed Web Apps* +- **Deployment channel:** *Device Channel* +- **Configuration profile file name:** *Microsoft Edge - Force-Installed Web Apps.mobileconfig* diff --git a/macOS/Custom Profiles/Microsoft OneDrive/Full Disk Access/Microsoft OneDrive - Full Disk Access.mobileconfig b/macOS/Custom Profiles/Microsoft OneDrive/Full Disk Access/Microsoft OneDrive - Full Disk Access.mobileconfig index aec7e84b..4deaa10e 100644 --- a/macOS/Custom Profiles/Microsoft OneDrive/Full Disk Access/Microsoft OneDrive - Full Disk Access.mobileconfig +++ b/macOS/Custom Profiles/Microsoft OneDrive/Full Disk Access/Microsoft OneDrive - Full Disk Access.mobileconfig @@ -50,6 +50,8 @@ CodeRequirement identifier "com.microsoft.OneDrive" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9 + Comment + Identifier com.microsoft.OneDrive IdentifierType @@ -65,6 +67,8 @@ CodeRequirement identifier "com.microsoft.OneDrive" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9 + Comment + Identifier com.microsoft.OneDrive IdentifierType @@ -80,6 +84,8 @@ CodeRequirement identifier "com.microsoft.OneDrive" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9 + Comment + Identifier com.microsoft.OneDrive IdentifierType @@ -95,6 +101,8 @@ CodeRequirement identifier "com.microsoft.OneDrive" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9 + Comment + Identifier com.microsoft.OneDrive IdentifierType diff --git a/macOS/Custom Profiles/Microsoft OneDrive/Full Disk Access/README.md b/macOS/Custom Profiles/Microsoft OneDrive/Full Disk Access/README.md index c9d7831d..2af343c3 100644 --- a/macOS/Custom Profiles/Microsoft OneDrive/Full Disk Access/README.md +++ b/macOS/Custom Profiles/Microsoft OneDrive/Full Disk Access/README.md @@ -1,3 +1,8 @@ # Microsoft OneDrive (Standarlone) - Full Disk Access This Custom Profile is created to provide Microsoft OneDrive (Standarlone) Full Disk Access that is required [for Known Folder Move (KFM)-feature](https://learn.microsoft.com/en-us/sharepoint/redirect-known-folders-macos). + +## Configuration settings for Intune +- **Custom configuration profile name:** *Microsoft OneDrive - Full Disk Access* +- **Deployment channel:** *Device Channel* +- **Configuration profile name:** *Microsoft OneDrive - Full Disk Access.mobileconfig* diff --git a/macOS/Custom Profiles/Qualys/Full Disk Access/Qualys - Full Disk Access.mobileconfig b/macOS/Custom Profiles/Qualys/Full Disk Access/Qualys - Full Disk Access.mobileconfig index 2855c745..2c88ed04 100644 --- a/macOS/Custom Profiles/Qualys/Full Disk Access/Qualys - Full Disk Access.mobileconfig +++ b/macOS/Custom Profiles/Qualys/Full Disk Access/Qualys - Full Disk Access.mobileconfig @@ -50,6 +50,8 @@ CodeRequirement identifier "com.qualys.cloud-agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = CLRUMG7LZ6 + Comment + Identifier com.qualys.cloud-agent IdentifierType diff --git a/macOS/Custom Profiles/Qualys/Full Disk Access/README.md b/macOS/Custom Profiles/Qualys/Full Disk Access/README.md index 2e8cc1a3..227239b2 100644 --- a/macOS/Custom Profiles/Qualys/Full Disk Access/README.md +++ b/macOS/Custom Profiles/Qualys/Full Disk Access/README.md @@ -1,3 +1,8 @@ # Qualys - Full Disk Access -This Custom Profile is created to provide Qualys Cloud Agent Full Disk Access that is required [according to Qualys](https://cdn2.qualys.com/docs/qualys-cloud-agent-macos-install-guide.pdf). \ No newline at end of file +This Custom Profile is created to provide Qualys Cloud Agent Full Disk Access that is required [according to Qualys](https://cdn2.qualys.com/docs/qualys-cloud-agent-macos-install-guide.pdf). + +## Configuration settings for Intune +- **Custom configuration profile name:** *Qualys - Full Disk Access* +- **Deployment channel:** *Device Channel* +- **Configuration profile name:** *Qualys - Full Disk Access.mobileconfig*