Resources for Microsoft Defender ATP for Mac

Applies to:

Collecting diagnostic information

If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default.

  1. Increase logging level:

    $ mdatp --log-level verbose
    Creating connection to daemon
    Connection established
    Operation succeeded
  2. Reproduce the problem

  3. Run sudo mdatp --diagnostic --create to backup Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds.

    $ sudo mdatp --diagnostic --create
    Creating connection to daemon
    Connection established
  4. Restore logging level:

    $ mdatp --log-level info
    Creating connection to daemon
    Connection established
    Operation succeeded

Logging installation issues

If an error occurs during installation, the installer will only report a general failure.

The detailed log will be saved to /Library/Logs/Microsoft/mdatp/install.log. If you experience issues during installation, send us this file so we can help diagnose the cause.


There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune.

Interactive uninstallation

  • Open Finder > Applications. Right click on Microsoft Defender ATP > Move to Trash.

From the command line

  • sudo rm -rf '/Applications/Microsoft Defender'

Configuring from the command line

Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line:

Group Scenario Command
Configuration Turn on/off real-time protection mdatp --config realTimeProtectionEnabled [true/false]
Configuration Turn on/off cloud protection mdatp --config cloudEnabled [true/false]
Configuration Turn on/off product diagnostics mdatp --config cloudDiagnosticEnabled [true/false]
Configuration Turn on/off automatic sample submission mdatp --config cloudAutomaticSampleSubmission [true/false]
Configuration Turn on PUA protection mdatp --threat --type-handling potentially_unwanted_application block
Configuration Turn off PUA protection mdatp --threat --type-handling potentially_unwanted_application off
Configuration Turn on audit mode for PUA protection mdatp --threat --type-handling potentially_unwanted_application audit
Diagnostics Change the log level mdatp --log-level [error/warning/info/verbose]
Diagnostics Generate diagnostic logs mdatp --diagnostic --create
Health Check the product's health mdatp --health
Protection Scan a path mdatp --scan --path [path]
Protection Do a quick scan mdatp --scan --quick
Protection Do a full scan mdatp --scan --full
Protection Cancel an ongoing on-demand scan mdatp --scan --cancel
Protection Request a security intelligence update mdatp --definition-update
EDR Turn on/off EDR preview for Mac mdatp --edr --early-preview [true/false] OR mdatp --edr --earlyPreview [true/false] for versions earlier than 100.78.0
EDR Add group tag to machine. EDR tags are used for managing machine groups. For more information, please visit mdatp --edr --set-tag GROUP [name]
EDR Remove group tag from machine mdatp --edr --remove-tag [name]

Microsoft Defender ATP portal information

In the Microsoft Defender ATP portal, you'll see two categories of information.

Antivirus alerts, including:

  • Severity
  • Scan type
  • Device information (hostname, machine identifier, tenant identifier, app version, and OS type)
  • File information (name, path, size, and hash)
  • Threat information (name, type, and state)

Device information, including:

  • Machine identifier
  • Tenant identifier
  • App version
  • Hostname
  • OS type
  • OS version
  • Computer model
  • Processor architecture
  • Whether the device is a virtual machine


Certain device information might be subject to upcoming releases. To send us feedback, use the Microsoft Defender ATP for Mac app and select Help > Send feedback on your device. Optionally, use the Feedback button in the Microsoft Defender Security Center.