Onboard and offboard macOS devices into Compliance solutions using Intune for Microsoft Defender for Endpoint customers

You can use Microsoft Intune to onboard macOS devices into Microsoft Purview solutions.

Important

Use this procedure if you have already deployed Microsoft Defender for Endpoint (MDE) to your macOS devices.

Applies to:

• Customers who have MDE deployed to their macOS devices.
• Endpoint data loss prevention (DLP)
• Insider risk management

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Before you begin

• Make sure your macOS devices are onboarded to Intune and enrolled in the Company Portal app.
• Make sure you have access to the Microsoft Intune admin center.
• OPTIONAL: Install the v95+ Microsoft Edge browser on your macOS devices.

Note

The three most recent major releases of macOS are supported.

Onboard macOS devices into Microsoft Purview solutions using Microsoft Intune

If Microsoft Defender for Endpoints (MDE) has already been deployed to your macOS device, you can still onboard that device into Compliance solutions. Doing so is multi-phase process:

1. Create system configuration profiles
2. Update existing system configuration profiles
3. Update MDE preferences

Prerequisites

Download the following files:

File	Description
accessibility.mobileconfig	Used for accessibility
fulldisk.mobileconfig	Used to grant full disk access (FDA).

Tip

We recommend downloading the bundled (mdatp-nokext.mobileconfig) file, rather than the individual .mobileconfig files. The bundled file includes the following required files:

• accessibility.mobileconfig
• fulldisk.mobileconfig
• netfilter.mobileconfig
• sysext.mobileconfig

If any of these files are updated, you need to either download the updated bundle, or download each updated file individually.

Note

To download the files:

1. Right-click the link and select Save link as....
2. Choose a folder and save the file.

Create system configuration profiles

1. Open the Microsoft Intune admin center and navigate to Devices > Configuration profiles.

2. Choose: Create profile.

3. Select the following values:

   1. Profile type = Templates
   2. Template name = Custom

4. Choose Create.

5. Enter a name for the profile, for instance: Microsoft Purview Accessibility Permission, and then choose Next.

6. Choose the accessibility.mobileconfig as the configuration profile file (downloaded as part of the prerequisites) and then choose Next.

7. On the Assignments tab, add the group you want to deploy this configuration to and then choose Next.

8. Review your settings and then choose Create to deploy the configuration.

9. Open Devices and navigate to macOS > Configuration profiles. The profiles you created display.

10. On the Configuration profiles page, choose the new profile. Next, choose Device status to see a list of devices and the deployment status of the configuration profile.

Update existing system configuration profiles

1. A full disk access (FDA) configuration profile should have been created and deployed previously for MDE. (For details, see Intune-based deployment for Microsoft Defender for Endpoint on Mac). Endpoint data loss prevention (DLP) requires additional FDA permission for the new application (com.microsoft.dlp.daemon).

2. Update the existing FDA configuration profile with the downloaded fulldisk.mobileconfig file.

Update MDE preferences

1. Find the existing MDE Preferences configuration profile. See Intune-based deployment for Microsoft Defender for Endpoint on Mac for details.

2. Add the following key to the .mobileconfig file, then save the file.

   <key>features</key> 
       <dict> 
           <key>dataLossPrevention</key> 
           <string>enabled</string> 
       </dict> 
   

OPTIONAL: Allow sensitive data to pass through forbidden domains

Microsoft Purview DLP checks for sensitive data through all stages of its travels. So, if sensitive data gets posted or sent to an allowed domain, but travels through a forbidden domain, it's blocked. Let's take a closer look.

Say that sending sensitive data via Outlook Live (outlook.live.com) is permissible, but that sensitive data must not be exposed to microsoft.com. However, when a user accesses Outlook Live, the data passes through microsoft.com in the background, as shown:

By default, because the sensitive data passes through microsoft.com on its way to outlook.live.com, DLP automatically blocks the data from being shared.

In some cases, however, you may not be concerned with the domains that data passes through on the back end. Instead, you may only be concerned about where the data ultimately ends up, as indicated by the URL that shows up in the address bar. In this case, outlook.live.com. To prevent sensitive data from being blocked in our example case, you need to specifically change the default setting.

So, if you only want to monitor the browser and the final destination of the data (the URL in the browser address bar), you can enable DLP_browser_only_cloud_egress and DLP_ax_only_cloud_egress. Here's how.

To change the settings to allow sensitive data to pass through forbidden domains on its way to a permitted domain:

1. Open the com.microsoft.wdav.mobileconfig file.

2. Under the dlp key, Set DLP_browser_only_cloud_egress to enabled and set DLP_ax_only_cloud_egress to enabled as shown in the following example.

   <key>dlp</key>
        <dict>
            <key>features</key>
            <array>
               <dict>
                   <key>name</key>
                   <string>DLP_browser_only_cloud_egress</string>
                   <key>state</key>
                   <string>enabled</string>
               </dict>
               <dict>
                   <key>name</key>
                   <string>DLP_ax_only_cloud_egress</string>
                   <key>state</key>
                   <string>enabled</string>
               </dict>
            </array>
        </dict>
   

Offboard macOS devices using Microsoft Intune

Important

Offboarding causes the device to stop sending sensor data to the portal. However, data received from the device, including references to any alerts it has had, will be retained for up to six months.

1. In the Microsoft Intune admin center, open Devices > Configuration profiles. The profiles you created display.

2. On the Configuration profiles page, choose the MDE preferences profile.

3. Remove these settings:

    <key>features</key>
        <dict>
            <key>dataLossPrevention</key>
            <string>enabled</string>
        </dict>
   

4. Choose Save.