Set up the Microsoft Defender for Endpoint for macOS policies in Jamf Pro

Important

The improved Microsoft 365 security center is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new. This topic might apply to both Microsoft Defender for Endpoint and Microsoft 365 Defender. Refer to the Applies To section and look for specific call outs in this article where there might be differences.

Applies to:

This page will guide you through the steps you need to take to set up macOS policies in Jamf Pro.

You'll need to take the following steps:

  1. Get the Microsoft Defender for Endpoint onboarding package

  2. Create a configuration profile in Jamf Pro using the onboarding package

  3. Configure Microsoft Defender for Endpoint settings

  4. Configure Microsoft Defender for Endpoint notification settings

  5. Configure Microsoft AutoUpdate (MAU)

  6. Grant full disk access to Microsoft Defender for Endpoint

  7. Approve Kernel extension for Microsoft Defender for Endpoint

  8. Approve System extensions for Microsoft Defender for Endpoint

  9. Configure Network Extension

  10. Schedule scans with Microsoft Defender for Endpoint for Mac

  11. Deploy Microsoft Defender for Endpoint for macOS

Step 1: Get the Microsoft Defender for Endpoint onboarding package

  1. In Microsoft Defender Security Center, navigate to Settings > Onboarding.

  2. Select macOS as the operating system and Mobile Device Management / Microsoft Intune as the deployment method.

    Image of Microsoft Defender Security Center

  3. Select Download onboarding package (WindowsDefenderATPOnboardingPackage.zip).

  4. Extract WindowsDefenderATPOnboardingPackage.zip.

  5. Copy the file to your preferred location. For example, C:\Users\JaneDoe_or_JohnDoe.contoso\Downloads\WindowsDefenderATPOnboardingPackage_macOS_MDM_contoso\jamf\WindowsDefenderATPOnboarding.plist.

Step 2: Create a configuration profile in Jamf Pro using the onboarding package

  1. Locate the file WindowsDefenderATPOnboarding.plist from the previous section.

    Image of file

  2. In the Jamf Pro dashboard, select New.

    Image of Jamf Pro dashboard

  3. Enter the following details:

    General

    • Name: MDATP onboarding for macOS
    • Description: MDATP EDR onboarding for macOS
    • Category: None
    • Distribution Method: Install Automatically
    • Level: Computer Level
  4. In Application & Custom Settings select Configure.

    Image of configuration profile

  5. Select Upload File (PLIST file) then in Preference Domain enter: com.microsoft.wdav.atp.

    Image of upload file

    Image of upload file

  6. Select Open and select the onboarding file.

    Image of onboarding file

  7. Select Upload.

    Image of uploading plist file

  8. Select the Scope tab.

    Image of scope tab

  9. Select the target computers.

    Image of target computers

    Image of target computers

  10. Select Save.

    Image of target computers

    Image of target computers selected

  11. Select Done.

    Image of target computers

    List of configuration profiles

Step 3: Configure Microsoft Defender for Endpoint settings

  1. Use the following Microsoft Defender for Endpoint configuration settings:

    • enableRealTimeProtection
    • passiveMode

    Note

    Not turned on by default, if you are planning to run a third-party AV for macOS, set it to true.

    • exclusions
    • excludedPath
    • excludedFileExtension
    • excludedFileName
    • exclusionsMergePolicy
    • allowedThreats

    Note

    EICAR is on the sample, if you are going through a proof-of-concept, remove it especially if you are testing EICAR.

    • disallowedThreatActions
    • potentially_unwanted_application
    • archive_bomb
    • cloudService
    • automaticSampleSubmission
    • tags
    • hideStatusMenuIcon

    For information, see Property list for Jamf configuration profile.

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
        <key>antivirusEngine</key>
        <dict>
            <key>enableRealTimeProtection</key>
            <true/>
            <key>passiveMode</key>
            <false/>
            <key>exclusions</key>
            <array>
                <dict>
                    <key>$type</key>
                    <string>excludedPath</string>
                    <key>isDirectory</key>
                    <false/>
                    <key>path</key>
                    <string>/var/log/system.log</string>
                </dict>
                <dict>
                    <key>$type</key>
                    <string>excludedPath</string>
                    <key>isDirectory</key>
                    <true/>
                    <key>path</key>
                    <string>/home</string>
                </dict>
                <dict>
                    <key>$type</key>
                    <string>excludedFileExtension</string>
                    <key>extension</key>
                    <string>pdf</string>
                </dict>
                <dict>
                    <key>$type</key>
                    <string>excludedFileName</string>
                    <key>name</key>
                    <string>cat</string>
                </dict>
            </array>
            <key>exclusionsMergePolicy</key>
            <string>merge</string>
            <key>allowedThreats</key>
            <array>
                <string>EICAR-Test-File (not a virus)</string>
            </array>
            <key>disallowedThreatActions</key>
            <array>
                <string>allow</string>
                <string>restore</string>
            </array>
            <key>threatTypeSettings</key>
            <array>
                <dict>
                    <key>key</key>
                    <string>potentially_unwanted_application</string>
                    <key>value</key>
                    <string>block</string>
                </dict>
                <dict>
                    <key>key</key>
                    <string>archive_bomb</string>
                    <key>value</key>
                    <string>audit</string>
                </dict>
            </array>
            <key>threatTypeSettingsMergePolicy</key>
            <string>merge</string>
        </dict>
        <key>cloudService</key>
        <dict>
            <key>enabled</key>
            <true/>
            <key>diagnosticLevel</key>
            <string>optional</string>
            <key>automaticSampleSubmission</key>
            <true/>
        </dict>
        <key>edr</key>
        <dict>
            <key>tags</key>
            <array>
                <dict>
                    <key>key</key>
                    <string>GROUP</string>
                    <key>value</key>
                    <string>ExampleTag</string>
                </dict>
            </array>
        </dict>
        <key>userInterface</key>
        <dict>
            <key>hideStatusMenuIcon</key>
            <false/>
        </dict>
    </dict>
    </plist>
    
  2. Save the file as MDATP_MDAV_configuration_settings.plist.

  3. In the Jamf Pro dashboard, select General.

    Image of Jamf Pro dashboard

  4. Enter the following details:

    General

    • Name: MDATP MDAV configuration settings
    • Description:<blank>
    • Category: None (default)
    • Distribution Method: Install Automatically(default)
    • Level: Computer Level(default)

    Image of configuration settings

  5. In Application & Custom Settings select Configure.

    Image of configuration settings

  6. Select Upload File (PLIST file).

    Image of configuration settings

  7. In Preferences Domain, enter com.microsoft.wdav, then select Upload PLIST File.

    Image of configuration settings

  8. Select Choose File.

    Image of configuration settings

  9. Select the MDATP_MDAV_configuration_settings.plist, then select Open.

    Image of configuration settings

  10. Select Upload.

    Image of configuration settings

    Image of configuration settings

    Note

    If you happen to upload the Intune file, you'll get the following error:
    Image of configuration settings

  11. Select Save.

    Image of configuration settings

  12. The file is uploaded.

    Image of configuration settings

    Image of configuration settings

  13. Select the Scope tab.

    Image of configuration settings

  14. Select Contoso's Machine Group.

  15. Select Add, then select Save.

    Image of configuration settings

    Image of configuration settings

  16. Select Done. You'll see the new Configuration profile.

    Image of configuration settings

Step 4: Configure notifications settings

These steps are applicable of macOS 10.15 (Catalina) or newer.

  1. Download notif.mobileconfig from our GitHub repository

  2. Save it as MDATP_MDAV_notification_settings.plist.

  3. In the Jamf Pro dashboard, select General.

  4. Enter the following details:

    General

    • Name: MDATP MDAV Notification settings
    • Description: macOS 10.15 (Catalina) or newer
    • Category: None (default)
    • Distribution Method: Install Automatically(default)
    • Level: Computer Level(default)

    Image of configuration settings

  5. Select Upload File (PLIST file).

    Image of configuration settings

  6. Select Choose File > MDATP_MDAV_Notification_Settings.plist.

    Image of configuration settings

    Image of configuration settings

  7. Select Open > Upload.

    Image of configuration settings

    Image of configuration settings

  8. Select the Scope tab, then select Add.

    Image of configuration settings

  9. Select Contoso's Machine Group.

  10. Select Add, then select Save.

    Image of configuration settings

    Image of configuration settings

  11. Select Done. You'll see the new Configuration profile. Image of configuration setting

Step 5: Configure Microsoft AutoUpdate (MAU)

  1. Use the following Microsoft Defender for Endpoint configuration settings:

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
     <key>ChannelName</key>
     <string>Production</string>
     <key>HowToCheck</key>
     <string>AutomaticDownload</string>
     <key>EnableCheckForUpdatesButton</key>
     <true/>
    <key>DisableInsiderCheckbox</key>
    <false/>
     <key>SendAllTelemetryEnabled</key>
     <true/>
    </dict>
    </plist>
    
  2. Save it as MDATP_MDAV_MAU_settings.plist.

  3. In the Jamf Pro dashboard, select General.

    Image of configuration setting

  4. Enter the following details:

    General

    • Name: MDATP MDAV MAU settings
    • Description: Microsoft AutoUpdate settings for MDATP for macOS
    • Category: None (default)
    • Distribution Method: Install Automatically(default)
    • Level: Computer Level(default)
  5. In Application & Custom Settings select Configure.

    Image of configuration setting

  6. Select Upload File (PLIST file).

    Image of configuration setting

  7. In Preference Domain enter: com.microsoft.autoupdate2, then select Upload PLIST File.

    Image of configuration setting

  8. Select Choose File.

    Image of configuration setting

  9. Select MDATP_MDAV_MAU_settings.plist.

    Image of configuration setting

  10. Select Upload. Image of configuration setting

    Image of configuration setting

  11. Select Save.

    Image of configuration setting

  12. Select the Scope tab.

    Image of configuration setting

  13. Select Add.

    Image of configuration setting

    Image of configuration setting

    Image of configuration setting

  14. Select Done.

    Image of configuration setting

Step 6: Grant full disk access to Microsoft Defender for Endpoint

  1. In the Jamf Pro dashboard, select Configuration Profiles.

    Image of configuration setting

  2. Select + New.

  3. Enter the following details:

    General

    • Name: MDATP MDAV - grant Full Disk Access to EDR and AV
    • Description: On macOS Catalina or newer, the new Privacy Preferences Policy Control
    • Category: None
    • Distribution method: Install Automatically
    • Level: Computer level

    Image of configuration setting

  4. In Configure Privacy Preferences Policy Control select Configure.

    Image of configuration setting

  5. In Privacy Preferences Policy Control, enter the following details:

    • Identifier: com.microsoft.wdav
    • Identifier Type: Bundle ID
    • Code Requirement: identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9

    Image of configuration setting

  6. Select + Add.

    Image of configuration setting

    • Under App or service: Set to SystemPolicyAllFiles

    • Under "access": Set to Allow

  7. Select Save (not the one at the bottom right).

    Image of configuration setting

  8. Click the + sign next to App Access to add a new entry.

    Image of configuration setting

  9. Enter the following details:

    • Identifier: com.microsoft.wdav.epsext
    • Identifier Type: Bundle ID
    • Code Requirement: identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = UBF8T346G9
  10. Select + Add.

    Image of configuration setting

    • Under App or service: Set to SystemPolicyAllFiles

    • Under "access": Set to Allow

  11. Select Save (not the one at the bottom right).

    Image of configuration setting

  12. Select the Scope tab.

    Image of configuration setting

  13. Select + Add.

    Image of configuration setting

  14. Select Computer Groups > under Group Name > select Contoso's MachineGroup.

    Image of configuration setting

  15. Select Add.

  16. Select Save.

  17. Select Done.

    Image of configuration setting

    Image of configuration setting

Step 7: Approve Kernel extension for Microsoft Defender for Endpoint

  1. In the Configuration Profiles, select + New.

    A screenshot of a social media post Description automatically generated

  2. Enter the following details:

    General

    • Name: MDATP MDAV Kernel Extension
    • Description: MDATP kernel extension (kext)
    • Category: None
    • Distribution Method: Install Automatically
    • Level: Computer Level

    Image of configuration settings

  3. In Configure Approved Kernel Extensions select Configure.

    Image of configuration settings

  4. In Approved Kernel Extensions Enter the following details:

    • Display Name: Microsoft Corp.
    • Team ID: UBF8T346G9

    Image of configuration settings

  5. Select the Scope tab.

    Image of configuration settings

  6. Select + Add.

  7. Select Computer Groups > under Group Name > select Contoso's Machine Group.

  8. Select + Add.

    Image of configuration settings

  9. Select Save.

    Image of configuration settings

  10. Select Done.

    Image of configuration settings

Step 8: Approve System extensions for Microsoft Defender for Endpoint

  1. In the Configuration Profiles, select + New.

    A screenshot of a social media post Description automatically generated

  2. Enter the following details:

    General

    • Name: MDATP MDAV System Extensions
    • Description: MDATP system extensions
    • Category: None
    • Distribution Method: Install Automatically
    • Level: Computer Level

    Image of configuration settings

  3. In System Extensions select Configure.

    Image of configuration settings

  4. In System Extensions enter the following details:

    • Display Name: Microsoft Corp. System Extensions
    • System Extension Types: Allowed System Extensions
    • Team Identifier: UBF8T346G9
    • Allowed System Extensions:
      • com.microsoft.wdav.epsext
      • com.microsoft.wdav.netext

    Image of configuration settings

  5. Select the Scope tab.

    Image of configuration settings

  6. Select + Add.

  7. Select Computer Groups > under Group Name > select Contoso's Machine Group.

  8. Select + Add.

    Image of configuration settings

  9. Select Save.

    Image of configuration settings

  10. Select Done.

    Image of configuration settings

Step 9: Configure Network Extension

As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.

Note

JAMF doesn’t have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender for Endpoint for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed. As such, the following steps provide a workaround that involve signing the configuration profile.

  1. Download netfilter.mobileconfig from our GitHub repository to your device and save it as com.microsoft.network-extension.mobileconfig

  2. Follow the instructions on this page to create a signing certificate using JAMF’s built-in certificate authority

  3. After the certificate is created and installed to your device, run the following command from the Terminal from a macOS device:

    $ security cms -S -N "<certificate name>" -i com.microsoft.network-extension.mobileconfig -o com.microsoft.network-extension.signed.mobileconfig
    

    Terminal window with command to create signed configuration

  4. From the JAMF portal, navigate to Configuration Profiles and click the Upload button.

    Image of upload window

  5. Select Choose File and select microsoft.network-extension.signed.mobileconfig.

    Image of upload window

  6. Select Upload.

    Image of upload window

  7. After uploading the file, you are redirected to a new page to finalize the creation of this profile.

    Image of new configuration profile

  8. Select the Scope tab.

    Image of configuration settings

  9. Select + Add.

  10. Select Computer Groups > under Group Name > select Contoso's Machine Group.

  11. Select + Add.

    Image of configuration settings

  12. Select Save.

    Image of configuration settings

  13. Select Done.

    Image of configuration settings

Step 10: Schedule scans with Microsoft Defender for Endpoint for Mac

Follow the instructions on Schedule scans with Microsoft Defender for Endpoint for Mac.

Step 11: Deploy Microsoft Defender for Endpoint for macOS

  1. Navigate to where you saved wdav.pkg.

    Image of file explorer

  2. Rename it to wdav_MDM_Contoso_200329.pkg.

    Image of file explorer

  3. Open the Jamf Pro dashboard.

    Image of configuration settings

  4. Select your computer and click the gear icon at the top, then select Computer Management.

    Image of configuration settings

  5. In Packages, select + New. A picture containing bird Description automatically generated

  6. In New Package Enter the following details:

    General tab

    • Display Name: Leave it blank for now. Because it will be reset when you choose your pkg.
    • Category: None (default)
    • Filename: Choose File

    Image of configuration settings

    Open the file and point it to wdav.pkg or wdav_MDM_Contoso_200329.pkg.

    A screenshot of a computer screen Description automatically generated

  7. Select Open. Set the Display Name to Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus.

    Manifest File is not required. Microsoft Defender Advanced Threat Protection works without Manifest File.

    Options tab
    Keep default values.

    Limitations tab
    Keep default values.

    Image of configuration settings

  8. Select Save. The package is uploaded to Jamf Pro.

    Image of configuration settings

    It can take a few minutes for the package to be available for deployment.

    Image of configuration settings

  9. Navigate to the Policies page.

    Image of configuration settings

  10. Select + New to create a new policy.

    Image of configuration settings

  11. In General Enter the following details:

    • Display name: MDATP Onboarding Contoso 200329 v100.86.92 or later

    Image of configuration settings

  12. Select Recurring Check-in.

    Image of configuration settings

  13. Select Save.

  14. Select Packages > Configure.

    Image of configuration settings

  15. Select the Add button next to Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus.

    Image of configuration settings

  16. Select Save.

    Image of configuration settings

  17. Select the Scope tab.

    Image of configuration settings

  18. Select the target computers.

    Image of configuration settings

    Scope

    Select Add.

    Image of configuration settings

    Image of configuration settings

    Self-Service

    Image of configuration settings

  19. Select Done.

    Image of configuration settings

    Image of configuration settings