New configuration profiles for macOS Big Sur and newer versions of macOS

Applies to:

• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender for Endpoint Plan 2
• Microsoft Defender XDR

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

If you have deployed Microsoft Defender for Endpoint on macOS in a managed environment (through JAMF, Intune, or another MDM solution), you must deploy new configuration profiles. Failure to do these steps will result in users getting approval prompts to run these new components.

JAMF

JAMF System Extensions Policy

To approve the system extensions, create the following payload:

1. In Computers > Configuration Profiles select Options > System Extensions.

2. Select Allowed System Extensions from the System Extension Types drop-down list.

3. Use UBF8T346G9 for Team Id.

4. Add the following bundle identifiers to the Allowed System Extensions list:

   • com.microsoft.wdav.epsext
   • com.microsoft.wdav.netext

   

Privacy Preferences Policy Control

Add the following JAMF payload to grant Full Disk Access to the Microsoft Defender for Endpoint Endpoint Security Extension. This policy is a pre-requisite for running the extension on your device.

1. Select Options > Privacy Preferences Policy Control.

2. Use com.microsoft.wdav.epsext as the Identifier and Bundle ID as Bundle type.

3. Set Code Requirement to identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9

4. Set App or service to SystemPolicyAllFiles and access to Allow.

   

Network Extension Policy

As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on macOS inspects socket traffic and reports this information to the Microsoft Defender portal. The following policy allows the network extension to perform this functionality.

Note

JAMF doesn't have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender for Endpoint on macOS installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed. As such, the following steps provide a workaround that involve signing the configuration profile.

1. Save the following content to your device as com.microsoft.network-extension.mobileconfig using a text editor:

   <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
   <plist version="1">
       <dict>
           <key>PayloadUUID</key>
           <string>DA2CC794-488B-4AFF-89F7-6686A7E7B8AB</string>
           <key>PayloadType</key>
           <string>Configuration</string>
           <key>PayloadOrganization</key>
           <string>Microsoft Corporation</string>
           <key>PayloadIdentifier</key>
           <string>DA2CC794-488B-4AFF-89F7-6686A7E7B8AB</string>
           <key>PayloadDisplayName</key>
           <string>Microsoft Defender Network Extension</string>
           <key>PayloadDescription</key>
           <string/>
           <key>PayloadVersion</key>
           <integer>1</integer>
           <key>PayloadEnabled</key>
           <true/>
           <key>PayloadRemovalDisallowed</key>
           <true/>
           <key>PayloadScope</key>
           <string>System</string>
           <key>PayloadContent</key>
           <array>
               <dict>
                   <key>PayloadUUID</key>
                   <string>2BA070D9-2233-4827-AFC1-1F44C8C8E527</string>
                   <key>PayloadType</key>
                   <string>com.apple.webcontent-filter</string>
                   <key>PayloadOrganization</key>
                   <string>Microsoft Corporation</string>
                   <key>PayloadIdentifier</key>
                   <string>CEBF7A71-D9A1-48BD-8CCF-BD9D18EC155A</string>
                   <key>PayloadDisplayName</key>
                   <string>Approved Network Extension</string>
                   <key>PayloadDescription</key>
                   <string/>
                   <key>PayloadVersion</key>
                   <integer>1</integer>
                   <key>PayloadEnabled</key>
                   <true/>
                   <key>FilterType</key>
                   <string>Plugin</string>
                   <key>UserDefinedName</key>
                   <string>Microsoft Defender Network Extension</string>
                   <key>PluginBundleID</key>
                   <string>com.microsoft.wdav</string>
                   <key>FilterSockets</key>
                   <true/>
                   <key>FilterDataProviderBundleIdentifier</key>
                   <string>com.microsoft.wdav.netext</string>
                   <key>FilterDataProviderDesignatedRequirement</key>
                   <string>identifier "com.microsoft.wdav.netext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
               </dict>
           </array>
       </dict>
   </plist>
   

2. Verify that the above file was copied correctly by running the plutil utility in the Terminal:

   $ plutil -lint <PathToFile>/com.microsoft.network-extension.mobileconfig
   

   For example, if the file was stored in Documents:

   $ plutil -lint ~/Documents/com.microsoft.network-extension.mobileconfig
   

   Verify that the command outputs OK.

   <PathToFile>/com.microsoft.network-extension.mobileconfig: OK
   

3. Follow the instructions on this page to create a signing certificate using JAMF's built-in certificate authority.

4. After the certificate is created and installed to your device, run the following command from the Terminal to sign the file:

   $ security cms -S -N "<CertificateName>" -i <PathToFile>/com.microsoft.network-extension.mobileconfig -o <PathToSignedFile>/com.microsoft.network-extension.signed.mobileconfig
   

   For example, if the certificate name is SigningCertificate and the signed file is going to be stored in Documents:

   $ security cms -S -N "SigningCertificate" -i ~/Documents/com.microsoft.network-extension.mobileconfig -o ~/Documents/com.microsoft.network-extension.signed.mobileconfig
   

5. From the JAMF portal, navigate to Configuration Profiles and click the Upload button. Select com.microsoft.network-extension.signed.mobileconfig when prompted for the file.

Intune

Intune System Extensions Policy

To approve the system extensions:

1. In Intune, open Manage > Device configuration. Select Manage > Profiles > Create Profile.

2. Choose a name for the profile. Change Platform=macOS to Profile type=Extensions. Select Create.

3. In the Basics tab, give a name to this new profile.

4. In the Configuration settings tab, add the following entries in the Allowed system extensions section:

   
   

---

Bundle identifier	Team identifier
com.microsoft.wdav.epsext	UBF8T346G9
com.microsoft.wdav.netext	UBF8T346G9

5. In the Assignments tab, assign this profile to All Users & All devices.
6. Review and create this configuration profile.

Create and deploy the Custom Configuration Profile

The following configuration profile enables the network extension and grants Full Disk Access to the Endpoint Security system extension.

Save the following content to a file named sysext.xml:

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
    <dict>
        <key>PayloadUUID</key>
        <string>7E53AC50-B88D-4132-99B6-29F7974EAA3C</string>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadOrganization</key>
        <string>Microsoft Corporation</string>
        <key>PayloadIdentifier</key>
        <string>7E53AC50-B88D-4132-99B6-29F7974EAA3C</string>
        <key>PayloadDisplayName</key>
        <string>Microsoft Defender System Extensions</string>
        <key>PayloadDescription</key>
        <string/>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadEnabled</key>
        <true/>
        <key>PayloadRemovalDisallowed</key>
        <true/>
        <key>PayloadScope</key>
        <string>System</string>
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>PayloadUUID</key>
                <string>2BA070D9-2233-4827-AFC1-1F44C8C8E527</string>
                <key>PayloadType</key>
                <string>com.apple.webcontent-filter</string>
                <key>PayloadOrganization</key>
                <string>Microsoft Corporation</string>
                <key>PayloadIdentifier</key>
                <string>CEBF7A71-D9A1-48BD-8CCF-BD9D18EC155A</string>
                <key>PayloadDisplayName</key>
                <string>Approved Network Extension</string>
                <key>PayloadDescription</key>
                <string/>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>PayloadEnabled</key>
                <true/>
                <key>FilterType</key>
                <string>Plugin</string>
                <key>UserDefinedName</key>
                <string>Microsoft Defender Network Extension</string>
                <key>PluginBundleID</key>
                <string>com.microsoft.wdav</string>
                <key>FilterSockets</key>
                <true/>
                <key>FilterDataProviderBundleIdentifier</key>
                <string>com.microsoft.wdav.netext</string>
                <key>FilterDataProviderDesignatedRequirement</key>
                <string>identifier &quot;com.microsoft.wdav.netext&quot; and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
            </dict>
            <dict>
                <key>PayloadUUID</key>
                <string>56105E89-C7C8-4A95-AEE6-E11B8BEA0366</string>
                <key>PayloadType</key>
                <string>com.apple.TCC.configuration-profile-policy</string>
                <key>PayloadOrganization</key>
                <string>Microsoft Corporation</string>
                <key>PayloadIdentifier</key>
                <string>56105E89-C7C8-4A95-AEE6-E11B8BEA0366</string>
                <key>PayloadDisplayName</key>
                <string>Privacy Preferences Policy Control</string>
                <key>PayloadDescription</key>
                <string/>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>PayloadEnabled</key>
                <true/>
                <key>Services</key>
                <dict>
                    <key>SystemPolicyAllFiles</key>
                    <array>
                        <dict>
                            <key>Identifier</key>
                            <string>com.microsoft.wdav.epsext</string>
                            <key>CodeRequirement</key>
                            <string>identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
                            <key>IdentifierType</key>
                            <string>bundleID</string>
                            <key>StaticCode</key>
                            <integer>0</integer>
                            <key>Allowed</key>
                            <integer>1</integer>
                        </dict>
                    </array>
                </dict>
            </dict>
        </array>
    </dict>
</plist>

Verify that the above file was copied correctly. From the Terminal, run the following command and verify that it outputs OK:

$ plutil -lint sysext.xml
sysext.xml: OK

To deploy this custom configuration profile:

1. In Intune, open Manage > Device configuration. Select Manage > Profiles > Create profile.

2. Choose a name for the profile. Change Platform=macOS and Profile type=Custom. Select Configure.

3. Open the configuration profile and upload sysext.xml. This file was created in the preceding step.

4. Select OK.

   

5. In the Assignments tab, assign this profile to All Users & All devices.

6. Review and create this configuration profile.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.