Onboard and offboard macOS devices into Compliance solutions using JAMF Pro for Microsoft Defender for Endpoint customers
Microsoft 365 compliance is now called Microsoft Purview and the solutions within the compliance area have been rebranded. For more information about Microsoft Purview, see the blog announcement and the What is Microsoft Purview? article.
You can use JAMF Pro to onboard macOS devices into Microsoft Purview solutions.
Use this procedure if you have deployed Microsoft Defender for Endpoint (MDE) to your macOS devices
- Customers who have MDE deployed to their macOS devices.
- Endpoint data loss prevention (DLP)
- Insider risk management
Before you begin
- Make sure your macOS devices are managed through JAMF pro and are associated with an identity (Azure AD joined UPN) through JAMF Connect or Intune.
- Install the v95+ Edge browser on your macOS devices
Onboard devices into Microsoft Purview solutions using JAMF Pro
Onboarding a macOS device into Compliance solutions is a multi phase process.
Download the configuration files
- You'll need these files for this procedure.
|file needed for||source|
|full disk access||fulldisk.mobileconfig|
You can download the .mobileconfig files individually or in single combined file that contains:
If any of these individual files is updated, you'd need to download the either the combined file again or the single updated file individually.
Update the existing MDE Preference domain profile using the JAMF PRO console
Update the schema.xml profile with the schema.json file you just downloaded.
Under MDE Preference Domain Properties choose these settings
- Use System Extensions:
enabled- required for network extensions on Catalina
- Use Data Loss Prevention:
- Use System Extensions:
Choose the Scope tab.
Choose the groups to deploy this configuration profile to.
Update the configuration profile for Grant full disk access
Update the existing full disk access profile with the fulldisk.mobileconfig file.
Upload the fulldisk.mobileconfig file to JAMF. Refer to Deploying Custom Configuration Profiles using JAMF Pro.
Grant accessibility access to DLP
Use the accessibility.mobileconfig file you previously downloaded.
Upload to JAMF as described in Deploying Custom Configuration Profiles using Jamf Pro.
Check the macOS device
Restart the macOS device.
Open System Preferences > Profiles.
You should see:
- Full Disk Access
- Kernel Extension Profile
- MDATP Onboarding
- MDE Preferences
- Management profile
- Network filter
- System extension profile
Offboard macOS devices using JAMF Pro
Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
To offboard a macOS device, follow these steps
Under MDE Preference Domain Properties remove the values for these settings
- Use System Extensions
- Use Data Loss Prevention
Submit and view feedback for