Microsoft Defender for Endpoint supports all commonly used platforms. Including Apple’s macOS.
Many macOS device owners believe they don’t need a security product. They tend to say that there are no viruses or malware on macOS. Unfortunately, this is a very naive and risky opinion. The opposite is true actually, and even macOS is targeted by threat actors. Therefore, you need a security product on macOS as well.
And it’s not just viruses or malware. But what about phishing? You receive a fraudulent link via email, some messenger or iMessage, you click on it and it leads to a phishing site. You need to protect yourself against such threats too.
Deployment of Microsoft Defender for Endpoint on macOS devices
Of course, Microsoft Defender for Endpoint is not part of the system as it is on Windows. So it needs to be installed, but also prepared to work effectively at all. This practically means giving it the various system permissions it needs to function.
All settings below will be created as Device Configuration profiles (Devices – Configuration) in Microsoft Intune.
Approved System Extensions
Create a new configuration profile of type Templates and give it a name, for example Approved System Extensions for MDE.
Under Configuration settings, open System Extensions and add two Allowed systems extensions.
| Bundle identifier | Team identifier |
|---|---|
| com.microsoft.wdav.epsext | UBF8T346G9 |
| com.microsoft.wdav.netext | UBF8T346G9 |
Deploy the profile to all devices.
Background Services
Create a new configuration profile of type Custom and give it a name, for example Background Services for MDE.
Custom Configuration Profile Name can be anything. Deployment channel is Device channel.
Select Configuration profile file and upload a json config file that you can download from the Microsoft’s official GitHub – background_services.mobileconfig.
Deploy the profile to all devices.
Full Disk Access
Create a new configuration profile of type Custom and give it a name, for example Full Disk Access for MDE.
Custom Configuration Profile Name can be anything. Deployment channel is Device channel.
Select Configuration profile file and upload a json config file that you can download from the Microsoft’s official GitHub – fulldisk.mobileconfig.
Deploy the profile to all devices.
License Information
First we need to download the Microsoft Defender for Endpoint onboarding package from the Microsoft Defender portal (security.microsoft.com) – Settings – Endpoints – Onboarding. Select macOS operating system from the Operating system dropdown menu and the Deployment method will be Mobile Device Management / Microsoft Intune. Click the Download onboarding package button.
Now when we have the onboarding package downloaded, we ca create a new configuration profile of type Custom and give it a name, for example License Information for MDE.
Custom Configuration Profile Name can be anything. Deployment channel is Device channel.
Select Configuration profile file and upload the json config file that you can downloaded from from the Microsoft Defender portal.
Network Filter
As part of the Endpoint Detection and Response (EDR) capabilities, Microsoft Defender for Endpoint on macOS inspects socket traffic and reports this information to the Microsoft 365 Defender portal. The following policy allows the network extension to perform this functionality.
Create a new configuration profile of type Custom and give it a name, for example Network Filter for MDE.
Custom Configuration Profile Name can be anything. Deployment channel is Device channel.
Select Configuration profile file and upload a json config file that you can download from the Microsoft’s official GitHub – netfilter.mobileconfig.
Deploy the profile to all devices.
Notifications
Create a new configuration profile of type Custom and give it a name, for example Notifications for MDE.
Custom Configuration Profile Name can be anything. Deployment channel is Device channel.
Select Configuration profile file and upload a json config file that you can download from the Microsoft’s official GitHub – notif.mobileconfig.
Deploy the profile to all devices.
Microsoft AutoUpdate
This profile is used to update the Microsoft Defender for Endpoint on macOS via Microsoft AutoUpdate (MAU). It is not mandatory, highly recommended though.
Create a new configuration profile of type Settings catalog and give it a name, for example Microsoft AutoUpdate.
Find Microsoft AutoUpdate (MAU) in the calatog and configure as on the screenshot. You do not have to configure exactly as on the screenshot, you can change the settings according to your needs. The settings on the screenshot are those that I usually recommend.
Deployment of the Microsoft Defender for Endpoint application
We now have the necessary configuration to deploy Microsoft Defender for Endpoint on macOS. So we can deploy the application itself.
The application can be found in the Apps – macOS menu. At the top, click the + Add button to add a new application of type Microsoft Defender for Endpoint.
On the first page, we can leave all the default options and on the next page, we just select that we want Microsoft Defender for Endpoint to install on all devices.
Final words
The settings mentioned in the article above are the basis for Microsoft Defender for Endpoint to work properly on macOS devices. The configuration is set up to be zero touch, i.e. it does not ask or request anything from the end user and everything runs itself in the background.
But the above configuration is not the final one. It does not address the configuration of Microsoft Defender for Endpoint on macOS itself, how it should behave, what it should block and detect, etc. The configuration above is only for deploying Microsoft Defender for Endpoint on macOS devices.
