Protect macOS security settings with tamper protection
Applies to:
Want to experience Defender for Endpoint? Sign up for a free trial.
Important
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Tamper protection in macOS helps prevent unwanted changes to security settings from being made by unauthorized users. Tamper protection helps prevent unauthorized removal of Microsoft Defender for Endpoint on macOS. This capability also helps important security files, processes, and configuration settings from being tampered.
You can set tamper protection in the following modes:
| Topic | Description |
|---|---|
| Disabled | Tamper protection is completely off (this is the default mode after installation) |
| Audit | Tampering operations are logged, but not blocked |
| Block | Tamper protection is on, tampering operations are blocked |
When tamper protection is set to audit or block mode, you can expect the following outcomes:
Audit mode:
- Actions to uninstall Defender for Endpoint agent is logged (audited)
- Editing/modification of Defender for Endpoint files are logged (audited)
- Creation of new files under Defender for Endpoint location is logged (audited)
- Deletion of Defender for Endpoint files is logged (audited)
- Renaming of Defender for Endpoint files is logged (audited)
Block mode:
- Actions to uninstall Defender for Endpoint agent is blocked
- Editing/modification of Defender for Endpoint files are blocked
- Creation of new files under Defender for Endpoint location is blocked
- Deletion of Defender for Endpoint files is blocked
- Renaming of Defender for Endpoint files is blocked
- Commands to stop the agent fail
Here is an example of a system message in response to a blocked action:
You can configure the tamper protection mode by providing the mode name as enforcement-level.
Note
- The mode change will apply immediately.
- If you used JAMF during the initial configuration, then you'll need to update the configuration using JAMF as well.
Before you begin
- Supported macOS versions: Monterey (12), Big Sur (11), Catalina (10.15+).
- Minimum required version for Defender for Endpoint: 101.70.19.
- You must be on a non-Production update channel (either Preview or Beta), while the Tamper Protection feature is in preview. If you are on Production channel, configured tamper protection mode will ignored.
Highly recommended settings:
- System Integrity Protection (SIP) enabled. For more information, see Disabling and Enabling System Integrity Protection.
- Use a Mobile device management (MDM) tool to configure Microsoft Defender for Endpoint.
Configure tamper protection on macOS devices
There are several ways you can configure tamper protection:
Before you begin
Verify that "tamper_protection" is set to "disabled" or "audit" to observe the state change. Also, make sure that "release_ring" does not report "Production".
mdatp health
healthy : true
health_issues : []
licensed : true
engine_version : "1.1.19300.3"
app_version : "101.70.19"
org_id : "..."
log_level : "info"
machine_guid : "..."
release_ring : "InsiderFast"
product_expiration : Dec 29, 2022 at 09:48:37 PM
cloud_enabled : true
cloud_automatic_sample_submission_consent : "safe"
cloud_diagnostic_enabled : false
passive_mode_enabled : false
real_time_protection_enabled : true
real_time_protection_available : true
real_time_protection_subsystem : "endpoint_security_extension"
network_events_subsystem : "network_filter_extension"
device_control_enforcement_level : "audit"
tamper_protection : "audit"
automatic_definition_update_enabled : true
definitions_updated : Jul 06, 2022 at 01:57:03 PM
definitions_updated_minutes_ago : 5
definitions_version : "1.369.896.0"
definitions_status : "up_to_date"
edr_early_preview_enabled : "disabled"
edr_device_tags : []
edr_group_ids : ""
edr_configuration_version : "20.199999.main.2022.07.05.02-ac10b0623fd381e28133debe14b39bb2dc5b61af"
edr_machine_id : "..."
conflicting_applications : []
network_protection_status : "stopped"
data_loss_prevention_status : "disabled"
full_disk_access_enabled : true
Manual configuration
Use the following command:
sudo mdatp config tamper-protection enforcement-level --value block
Note
If you use manual configuration to enable tamper protection, you can also disable tamper protection manually at any time. For example, you can revoke Full Disk Access from Defender in System Preferences manually. You must use MDM instead of manual configuration to prevent a local admin from doing that.
Verify the result.
mdatp health
healthy : true
health_issues : []
licensed : true
engine_version : "1.1.19300.3"
app_version : "101.70.19"
org_id : "..."
log_level : "info"
machine_guid : "..."
release_ring : "InsiderFast"
product_expiration : Dec 29, 2022 at 09:48:37 PM
cloud_enabled : true
cloud_automatic_sample_submission_consent : "safe"
cloud_diagnostic_enabled : false
passive_mode_enabled : false
real_time_protection_enabled : true
real_time_protection_available : true
real_time_protection_subsystem : "endpoint_security_extension"
network_events_subsystem : "network_filter_extension"
device_control_enforcement_level : "audit"
tamper_protection : "block"
automatic_definition_update_enabled : true
definitions_updated : Jul 06, 2022 at 01:57:03 PM
definitions_updated_minutes_ago : 5
definitions_version : "1.369.896.0"
definitions_status : "up_to_date"
edr_early_preview_enabled : "disabled"
edr_device_tags : []
edr_group_ids : ""
edr_configuration_version : "20.199999.main.2022.07.05.02-ac10b0623fd381e28133debe14b39bb2dc5b61af"
edr_machine_id : "..."
conflicting_applications : []
network_protection_status : "stopped"
data_loss_prevention_status : "disabled"
full_disk_access_enabled : true
Notice that the "tamper_protection" is now set to "block".
JAMF
Configure tamper protection mode in Microsoft Defender for Endpoint configuration profile, by adding the following settings:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>tamperProtection</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
</dict>
</dict>
</plist>
Note
If you already have a configuration profile for Microsoft Defender for Endpoint then you need to add settings to it. You don't need to create a second configuration profile.
Intune
Follow the documented Intune profile example to configure tamper protection through Intune. For more information, see Set preferences for Microsoft Defender for Endpoint on macOS.
Add the following configuration in your Intune profile:
Note
For Intune configuration, you can create a new profile configuration file to add the Tamper protection configuration, or you can add these parameters to the existing one.
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender for Endpoint settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender for Endpoint configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender for Endpoint configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>tamperProtection</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
</dict>
</dict>
</array>
</dict>
</plist>
Check the tamper protection status by running the following command:
mdatp health --field tamper_protection
The result will show "block" if tamper protection is on:
You can also run full mdatp health and look for the "tamper_protection" in the output
Verify tamper protection preventive capabilities
You can verify that tamper protection is on through various ways.
Verify block mode
Tampering alert is raised in the Microsoft 365 Defender portal
Verify block mode and audit modes
- Using Advanced hunting, you'll see tampering alerts appear
- Tampering events can be found in the local device logs:
sudo grep -F '[{tamperProtection}]' /Library/Logs/Microsoft/mdatp/microsoft_defender_core.log
DIY scenarios
With tamper protection set to "block", attempt different methods to uninstall Defender for Endpoint. For example, drag the app tile into trash or uninstall tamper protection using the command line.
Try to stop the Defender for Endpoint process (kill).
Try to delete, rename, modify, move Defender for Endpoint files (similar to what a malicious user would do), for example:
- /Applications/Microsoft Defender ATP.app/
- /Library/LaunchDaemons/com.microsoft.fresno.plist
- /Library/LaunchDaemons/com.microsoft.fresno.uninstall.plist
- /Library/LaunchAgents/com.microsoft.wdav.tray.plist
- /Library/Managed Preferences/com.microsoft.wdav.ext.plist
- /Library/Managed Preferences/mdatp_managed.json
- /Library/Managed Preferences/com.microsoft.wdav.atp.plist
- /Library/Managed Preferences/com.microsoft.wdav.atp.offboarding.plist
- /usr/local/bin/mdatp
Turning off tamper protection
You can turn off tamper protection using any of the following methods.
Manual configuration
Use the following command:
sudo mdatp config tamper-protection enforcement-level - -value disabled
JAMF
Change the enforcementLevel value to "disabled" in your configuration profile, and push it to the machine:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>tamperProtection</key>
<dict>
<key>enforcementLevel</key>
<string>disabled</string>
</dict>
</dict>
</plist>
Intune
Add the following configuration in your Intune profile:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender for Endpoint settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender for Endpoint configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender for Endpoint configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>tamperProtection</key>
<dict>
<key>enforcementLevel</key>
<string>disabled</string>
</dict>
</dict>
</array>
</dict>
</plist>
Troubleshooting configuration issues
Issue: Tamper protection is reported as disabled
If running the command mdatp health reports that the tamper protection is disabled, even if you enabled it and more than an hour has passed since the onboarding, then you can check if you have the right configuration by running the following command:
$ sudo grep -F '\[{tamperProtection}\]: Feature state:' /Library/Logs/Microsoft/mdatp/microsoft_defender_core.log | tail -n 1
The mode must be "block" (or "audit"). If it is not, then you haven't set the tamper protection mode either through mdatp config command or through Intune.
Feedback
Submit and view feedback for