Set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro

Applies to:

This page will guide you through the steps you need to take to set up macOS policies in Jamf Pro.

You'll need to take the following steps:

  1. Get the Microsoft Defender for Endpoint onboarding package
  2. Create a configuration profile in Jamf Pro using the onboarding package
  3. Configure Microsoft Defender for Endpoint settings
  4. Configure Microsoft Defender for Endpoint notification settings
  5. Configure Microsoft AutoUpdate (MAU)
  6. Grant full disk access to Microsoft Defender for Endpoint
  7. Approve Kernel extension for Microsoft Defender for Endpoint
  8. Approve System extensions for Microsoft Defender for Endpoint
  9. Configure Network Extension
  10. Schedule scans with Microsoft Defender for Endpoint on macOS
  11. Deploy Microsoft Defender for Endpoint on macOS

Step 1: Get the Microsoft Defender for Endpoint onboarding package

  1. In Microsoft Defender Security Center, navigate to Settings > Onboarding.

  2. Select macOS as the operating system and Mobile Device Management / Microsoft Intune as the deployment method.

    Image of Microsoft Defender Security Center.

  3. Select Download onboarding package (WindowsDefenderATPOnboardingPackage.zip).

  4. Extract WindowsDefenderATPOnboardingPackage.zip.

  5. Copy the file to your preferred location. For example, C:\Users\JaneDoe_or_JohnDoe.contoso\Downloads\WindowsDefenderATPOnboardingPackage_macOS_MDM_contoso\jamf\WindowsDefenderATPOnboarding.plist.

Step 2: Create a configuration profile in Jamf Pro using the onboarding package

  1. Locate the file WindowsDefenderATPOnboarding.plist from the previous section.

    Image of WindowsDefenderATPOnboarding file.

  2. In the Jamf Pro dashboard, select New.

    Image of creating a new Jamf Pro dashboard.

  3. Enter the following details:

    General:

    • Name: MDATP onboarding for macOS
    • Description: MDATP EDR onboarding for macOS
    • Category: None
    • Distribution Method: Install Automatically
    • Level: Computer Level
  4. In Application & Custom Settings select Configure.

    Image of configurate app and custom settings.

  5. Select Upload File (PLIST file) then in Preference Domain enter: com.microsoft.wdav.atp.

    Image of jamfpro plist upload file.

    Image of upload file property List file.

  6. Select Open and select the onboarding file.

    Image of onboarding file.

  7. Select Upload.

    Image of uploading plist file.

  8. Select the Scope tab.

    Image of scope tab.

  9. Select the target computers.

    Image of target computers.

    Image of targets.

  10. Select Save.

    Image of  deployment target computers.

    Image of target computers selected.

  11. Select Done.

    Image of target group computers.

    List of configuration profiles.

Step 3: Configure Microsoft Defender for Endpoint settings

You can either use JAMF Pro GUI to edit individual settings of the Microsoft Defender configuration, or use the legacy method by creating a configuration Plist in a text editor, and uploading it to JAMF Pro.

Note that you must use exact com.microsoft.wdav as the Preference Domain, Microsoft Defender uses only this name and com.microsoft.wdav.ext to load its managed settings!

(The com.microsoft.wdav.ext version may be used in rare cases when you prefer to use GUI method, but also need to configure a setting that has not been added to the schema yet.)

GUI method

  1. Download schema.json file from Defender's GitHub repository and save it to a local file:

    curl -o ~/Documents/schema.json https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/schema/schema.json
    
  2. Create a new Configuration Profile under Computers -> Configuration Profiles, enter the following details on the General tab:

    New profile.

    • Name: MDATP MDAV configuration settings
    • Description:<blank>
    • Category: None (default)
    • Level: Computer Level (default)
    • Distribution Method: Install Automatically (default)
  3. Scroll down to the Application & Custom Settings tab, select External Applications, click Add and use Custom Schema as Source to use for the preference domain.

    Add custom schema.

  4. Enter com.microsoft.wdav as the Preference Domain, click on Add Schema and Upload the schema.json file downloaded on Step 1. Click Save.

    Upload schema.

  5. You can see all supported Microsoft Defender configuration settings below, under Preference Domain Properties. Click Add/Remove properties to select the settings that you want to be managed, and click Ok to save your changes. (Settings left unselected will not be included into the managed configuration, an end user will be able to configure those settings on their machines.)

    Select managed settings.

  6. Change values of the settings to desired values. You can click More information to get documentation for a particular setting. (You may click Plist preview to inspect what the configuration plist will look like. Click Form editor to return to the visual editor.)

    Change settings values.

  7. Select the Scope tab.

    Configuration profile scope.

  8. Select Contoso's Machine Group.

  9. Select Add, then select Save.

    Configuration settings - add.

    Configuration settings - save.

  10. Select Done. You'll see the new Configuration profile.

    Configuration settings - done.

Microsoft Defender adds new settings over time. These new settings will be added to the schema, and a new version will be published to Github. All you need to do to have updates is to download an updated schema, edit existing configuration profile, and Edit schema at the Application & Custom Settings tab.

Legacy method

  1. Use the following Microsoft Defender for Endpoint configuration settings:

    • enableRealTimeProtection
    • passiveMode

    Note

    Not turned on by default, if you are planning to run a third-party AV for macOS, set it to true.

    • exclusions
    • excludedPath
    • excludedFileExtension
    • excludedFileName
    • exclusionsMergePolicy
    • allowedThreats

    Note

    EICAR is on the sample, if you are going through a proof-of-concept, remove it especially if you are testing EICAR.

    • disallowedThreatActions
    • potentially_unwanted_application
    • archive_bomb
    • cloudService
    • automaticSampleSubmission
    • tags
    • hideStatusMenuIcon

    For information, see Property list for JAMF full configuration profile.

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
        <key>antivirusEngine</key>
        <dict>
            <key>enableRealTimeProtection</key>
            <true/>
            <key>passiveMode</key>
            <false/>
            <key>exclusions</key>
            <array>
                <dict>
                    <key>$type</key>
                    <string>excludedPath</string>
                    <key>isDirectory</key>
                    <false/>
                    <key>path</key>
                    <string>/var/log/system.log</string>
                </dict>
                <dict>
                    <key>$type</key>
                    <string>excludedPath</string>
                    <key>isDirectory</key>
                    <true/>
                    <key>path</key>
                    <string>/home</string>
                </dict>
                <dict>
                    <key>$type</key>
                    <string>excludedFileExtension</string>
                    <key>extension</key>
                    <string>pdf</string>
                </dict>
                <dict>
                    <key>$type</key>
                    <string>excludedFileName</string>
                    <key>name</key>
                    <string>cat</string>
                </dict>
            </array>
            <key>exclusionsMergePolicy</key>
            <string>merge</string>
            <key>allowedThreats</key>
            <array>
                <string>EICAR-Test-File (not a virus)</string>
            </array>
            <key>disallowedThreatActions</key>
            <array>
                <string>allow</string>
                <string>restore</string>
            </array>
            <key>threatTypeSettings</key>
            <array>
                <dict>
                    <key>key</key>
                    <string>potentially_unwanted_application</string>
                    <key>value</key>
                    <string>block</string>
                </dict>
                <dict>
                    <key>key</key>
                    <string>archive_bomb</string>
                    <key>value</key>
                    <string>audit</string>
                </dict>
            </array>
            <key>threatTypeSettingsMergePolicy</key>
            <string>merge</string>
        </dict>
        <key>cloudService</key>
        <dict>
            <key>enabled</key>
            <true/>
            <key>diagnosticLevel</key>
            <string>optional</string>
            <key>automaticSampleSubmission</key>
            <true/>
        </dict>
        <key>edr</key>
        <dict>
            <key>tags</key>
            <array>
                <dict>
                    <key>key</key>
                    <string>GROUP</string>
                    <key>value</key>
                    <string>ExampleTag</string>
                </dict>
            </array>
        </dict>
        <key>userInterface</key>
        <dict>
            <key>hideStatusMenuIcon</key>
            <false/>
        </dict>
    </dict>
    </plist>
    
  2. Save the file as MDATP_MDAV_configuration_settings.plist.

  3. In the Jamf Pro dashboard, open Computers, and there Configuration Profiles. Click *New( and switch to the General tab.

    New profile.

  4. Enter the following details:

    General

    • Name: MDATP MDAV configuration settings
    • Description:<blank>
    • Category: None (default)
    • Distribution Method: Install Automatically(default)
    • Level: Computer Level(default)

    Image of MDATP MDAV configuration settings.

  5. In Application & Custom Settings select Configure.

    Image of app and custom settings.

  6. Select Upload File (PLIST file).

    Image of configuration settings plist file.

  7. In Preferences Domain, enter com.microsoft.wdav, then select Upload PLIST File.

    Image of configuration settings preferences domain.

  8. Select Choose File.

    Image of configuration settings choose file.

  9. Select the MDATP_MDAV_configuration_settings.plist, then select Open.

    Image of mdatpmdav configuration settings.

  10. Select Upload.

    Image of configuration setting upload.

    Image of configuration settings upload image.

    Note

    If you happen to upload the Intune file, you'll get the following error:

    Image of configuration settings intune file upload.

  11. Select Save.

    Image of configuration settings Save image.

  12. The file is uploaded.

    Image of configuration settings file uploaded image.

    Image of configuration settings file uploaded.

  13. Select the Scope tab.

    Image of configuration settings scope.

  14. Select Contoso's Machine Group.

  15. Select Add, then select Save.

    Image of configuration settings addsav.

    Image of configuration settings save add.

  16. Select Done. You'll see the new Configuration profile.

    Image of configuration settings config profile image.

Step 4: Configure notifications settings

These steps are applicable of macOS 10.15 (Catalina) or newer.

  1. In the Jamf Pro dashboard, select Computers, then Configuration Profiles.

  2. Click New, and enter the following details for Options:

    • Tab General:

      • Name: MDATP MDAV Notification settings
      • Description: macOS 10.15 (Catalina) or newer
      • Category: None (default)
      • Distribution Method: Install Automatically (default)
      • Level: Computer Level (default)

      Image of new macOS configuration profile screen.

    • Tab Notifications, click Add, and enter the following values:

      • Bundle ID: com.microsoft.wdav.tray
      • Critical Alerts: Click Disable
      • Notifications: Click Enable
      • Banner alert type: Select Include and Temporary (default)
      • Notifications on lock screen: Click Hide
      • Notifications in Notification Center: Click Display
      • Badge app icon: Click Display

      Image of configuration settings mdatpmdav notifications tray.

    • Tab Notifications, click Add one more time, scroll down to New Notifications Settings

      • Bundle ID: com.microsoft.autoupdate2
      • Configure the rest of the settings to the same values as above

      Image of configuration settings mdatpmdav notifications mau.

      Note that now you have two 'tables' with notification configurations, one for Bundle ID: com.microsoft.wdav.tray, and another for Bundle ID: com.microsoft.autoupdate2. While you can configure alert settings per your requirements, Bundle IDs must be exactly the same as described before, and Include switch must be On for Notifications.

  3. Select the Scope tab, then select Add.

    Image of configuration settings scope add.

  4. Select Contoso's Machine Group.

  5. Select Add, then select Save.

    Image of configuration settings contoso machine grp save.

    Image of configuration settings add save.

  6. Select Done. You'll see the new Configuration profile.

    Image of configuration setting done img.

Step 5: Configure Microsoft AutoUpdate (MAU)

  1. Use the following Microsoft Defender for Endpoint configuration settings:

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>ChannelName</key>
    <string>Current</string>
    <key>HowToCheck</key>
    <string>AutomaticDownload</string>
    <key>EnableCheckForUpdatesButton</key>
    <true/>
    <key>DisableInsiderCheckbox</key>
    <false/>
    <key>SendAllTelemetryEnabled</key>
    <true/>
    </dict>
    </plist>
    
  2. Save it as MDATP_MDAV_MAU_settings.plist.

  3. In the Jamf Pro dashboard, select General.

    Image of configuration setting general image.

  4. Enter the following details:

    General

    • Name: MDATP MDAV MAU settings
    • Description: Microsoft AutoUpdate settings for MDATP for macOS
    • Category: None (default)
    • Distribution Method: Install Automatically(default)
    • Level: Computer Level(default)
  5. In Application & Custom Settings select Configure.

    Image of configuration setting app and custom settings.

  6. Select Upload File (PLIST file).

    Image of configuration setting plist.

  7. In Preference Domain enter: com.microsoft.autoupdate2, then select Upload PLIST File.

    Image of configuration setting pref domain.

  8. Select Choose File.

    Image of configuration setting choosefile.

  9. Select MDATP_MDAV_MAU_settings.plist.

    Image of configuration setting mdatpmdavmau settings.

  10. Select Upload. Image of configuration setting uplimage.

    Image of configuration setting uplimg.

  11. Select Save.

    Image of configuration setting saveimg.

  12. Select the Scope tab.

    Image of configuration setting scopetab.

  13. Select Add.

    Image of configuration setting addimg1.

    Image of configuration setting addimg2.

    Image of configuration setting addimg3.

  14. Select Done.

    Image of configuration setting doneimage.

Step 6: Grant full disk access to Microsoft Defender for Endpoint

  1. In the Jamf Pro dashboard, select Configuration Profiles.

    Image of configuration setting config profile.

  2. Select + New.

  3. Enter the following details:

    General

    • Name: MDATP MDAV - grant Full Disk Access to EDR and AV
    • Description: On macOS Catalina or newer, the new Privacy Preferences Policy Control
    • Category: None
    • Distribution method: Install Automatically
    • Level: Computer level

    Image of configuration setting general.

  4. In Configure Privacy Preferences Policy Control select Configure.

    Image of configuration privacy policy control.

  5. In Privacy Preferences Policy Control, enter the following details:

    • Identifier: com.microsoft.wdav
    • Identifier Type: Bundle ID
    • Code Requirement: identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9

    Image of configuration setting privacy preference policy control details.

  6. Select + Add.

    Image of configuration setting add system policy all files.

    • Under App or service: Set to SystemPolicyAllFiles

    • Under "access": Set to Allow

  7. Select Save (not the one at the bottom right).

    Image of configuration setting save images.

  8. Click the + sign next to App Access to add a new entry.

    Image of configuration setting app access.

  9. Enter the following details:

    • Identifier: com.microsoft.wdav.epsext
    • Identifier Type: Bundle ID
    • Code Requirement: identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
  10. Select + Add.

    Image of configuration setting tcc epsext entry.

    • Under App or service: Set to SystemPolicyAllFiles

    • Under "access": Set to Allow

  11. Select Save (not the one at the bottom right).

    Image of configuration setting tcc epsext image2.

  12. Select the Scope tab.

    Image of configuration setting scope.

  13. Select + Add.

    Image of configuration setting addimage.

  14. Select Computer Groups > under Group Name > select Contoso's MachineGroup.

    Image of configuration setting contoso machinegrp.

  15. Select Add.

  16. Select Save.

  17. Select Done.

    Image of configuration setting donimg.

    Image of configuration setting donimg2.

Alternatively, you can download fulldisk.mobileconfig and upload it to JAMF Configuration Profiles as described in Deploying Custom Configuration Profiles using Jamf Pro|Method 2: Upload a Configuration Profile to Jamf Pro.

Step 7: Approve Kernel extension for Microsoft Defender for Endpoint

Caution

Apple Silicon (M1) devices do not support KEXT. Installation of a configuration profile consisting KEXT policies will fail on these devices.

  1. In the Configuration Profiles, select + New.

    A screenshot of a social media post Description automatically generated.

  2. Enter the following details:

    General

    • Name: MDATP MDAV Kernel Extension
    • Description: MDATP kernel extension (kext)
    • Category: None
    • Distribution Method: Install Automatically
    • Level: Computer Level

    Image of configuration settings mdatpmdav kernel.

  3. In Configure Approved Kernel Extensions select Configure.

    Image of configuration settings approved kernel ext.

  4. In Approved Kernel Extensions Enter the following details:

    • Display Name: Microsoft Corp.
    • Team ID: UBF8T346G9

    Image of configuration settings appr kernel extension.

  5. Select the Scope tab.

    Image of configuration settings scope tab img.

  6. Select + Add.

  7. Select Computer Groups > under Group Name > select Contoso's Machine Group.

  8. Select + Add.

    Image of configuration settings add images.

  9. Select Save.

    Image of configuration settings saveimag.

  10. Select Done.

    Image of configuration settings doneimag.

Alternatively, you can download kext.mobileconfig and upload it to JAMF Configuration Profiles as described in Deploying Custom Configuration Profiles using Jamf Pro|Method 2: Upload a Configuration Profile to Jamf Pro.

Step 8: Approve System extensions for Microsoft Defender for Endpoint

  1. In the Configuration Profiles, select + New.

    A screenshot of a social media post Description automatically generated.

  2. Enter the following details:

    General

    • Name: MDATP MDAV System Extensions
    • Description: MDATP system extensions
    • Category: None
    • Distribution Method: Install Automatically
    • Level: Computer Level

    Image of configuration settings sysext new prof.

  3. In System Extensions select Configure.

    Image of configuration settings sysext config.

  4. In System Extensions enter the following details:

    • Display Name: Microsoft Corp. System Extensions
    • System Extension Types: Allowed System Extensions
    • Team Identifier: UBF8T346G9
    • Allowed System Extensions:
      • com.microsoft.wdav.epsext
      • com.microsoft.wdav.netext

    Image of configuration settings sysextconfig2.

  5. Select the Scope tab.

    Image of configuration settings scopeimage.

  6. Select + Add.

  7. Select Computer Groups > under Group Name > select Contoso's Machine Group.

  8. Select + Add.

    Image of configuration settings addima.

  9. Select Save.

    Image of configuration settings sysext scope.

  10. Select Done.

    Image of configuration settings sysext-final.

Step 9: Configure Network Extension

As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on macOS inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.

These steps are applicable of macOS 10.15 (Catalina) or newer.

  1. In the Jamf Pro dashboard, select Computers, then Configuration Profiles.

  2. Click New, and enter the following details for Options:

    • Tab General:

      • Name: Microsoft Defender ATP Network Extension
      • Description: macOS 10.15 (Catalina) or newer
      • Category: None (default)
      • Distribution Method: Install Automatically (default)
      • Level: Computer Level (default)
    • Tab Content Filter:

      • Filter Name: Microsoft Defender ATP Content Filter
      • Identifier: com.microsoft.wdav
      • Leave Service Address, Organization, User Name, Password, Certificate blank (Include is not selected)
      • Filter Order: Inspector
      • Socket Filter: com.microsoft.wdav.netext
      • Socket Filter Designated Requirement: identifier "com.microsoft.wdav.netext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
      • Leave Network Filter fields blank (Include is not selected)

      Note that Identifier, Socket Filter and Socket Filter Designated Requirement exact values as specified above.

      Image of configuration setting mdatpmdav.

  3. Select the Scope tab.

    Image of configuration settings sco tab.

  4. Select + Add.

  5. Select Computer Groups > under Group Name > select Contoso's Machine Group.

  6. Select + Add.

    Image of configuration settings adim.

  7. Select Save.

    Image of configuration settings savimg netextscop.

  8. Select Done.

    Image of configuration settings netextfinal.

Alternatively, you can download netfilter.mobileconfig and upload it to JAMF Configuration Profiles as described in Deploying Custom Configuration Profiles using Jamf Pro|Method 2: Upload a Configuration Profile to Jamf Pro.

Step 10: Schedule scans with Microsoft Defender for Endpoint on macOS

Follow the instructions on Schedule scans with Microsoft Defender for Endpoint on macOS.

Step 11: Deploy Microsoft Defender for Endpoint on macOS

  1. Navigate to where you saved wdav.pkg.

    Image of file explorer wdav pkg.

  2. Rename it to wdav_MDM_Contoso_200329.pkg.

    Image of file explorer1 wdavmdmpkg.

  3. Open the Jamf Pro dashboard.

    Image of configuration settings jamfpro.

  4. Select your computer and click the gear icon at the top, then select Computer Management.

    Image of configuration settings compmgmt.

  5. In Packages, select + New. A picture containing bird Description automatically generated package new.

  6. In New Package Enter the following details:

    General tab

    • Display Name: Leave it blank for now. Because it will be reset when you choose your pkg.
    • Category: None (default)
    • Filename: Choose File

    Image of configuration settings general tab.

    Open the file and point it to wdav.pkg or wdav_MDM_Contoso_200329.pkg.

    A screenshot of a computer screen Description automatically generated.

  7. Select Open. Set the Display Name to Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus.

    Manifest File is not required. Microsoft Defender for Endpoint works without Manifest File.

    Options tab: Keep default values.

    Limitations tab: Keep default values.

    Image of configuration settings limitation tab.

  8. Select Save. The package is uploaded to Jamf Pro.

    Image of configuration settings pack upl jamf pro.

    It can take a few minutes for the package to be available for deployment.

    Image of configuration settings pack upl.

  9. Navigate to the Policies page.

    Image of configuration settings polocies.

  10. Select + New to create a new policy.

    Image of configuration settings new policy.

  11. In General Enter the following details:

    • Display name: MDATP Onboarding Contoso 200329 v100.86.92 or later

    Image of configuration settingsmdatponboard.

  12. Select Recurring Check-in.

    Image of configuration settings recur checkin.

  13. Select Save.

  14. Select Packages > Configure.

    Image of configuration settings pack configure.

  15. Select the Add button next to Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus.

    Image of configuration settings MDATP and MDA add.

  16. Select Save.

    Image of configuration settingssavimg.

  17. Select the Scope tab.

    Image of configuration settings scptab.

  18. Select the target computers.

    Image of configuration settings tgtcomp.

    Scope

    Select Add.

    Image of configuration settings ad1img.

    Image of configuration settings ad2img.

    Self-Service

    Image of configuration settings selfservice.

  19. Select Done.

    Image of configuration settings do1img.

    Image of configuration settings do2img.