Microsoft Defender Advanced Threat Protection for Mac

Important

Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.

This topic describes how to install, configure, update, and use Microsoft Defender ATP for Mac.

Caution

Running other third-party endpoint protection products alongside Microsoft Defender ATP for Mac is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of MDATP for Mac EDR functionality after configuring MDATP for Mac antivirus functionality to run in Passive mode.

What’s new in the latest release

What's new in Microsoft Defender ATP

What's new in Microsoft Defender ATP for Mac

Tip

If you have any feedback that you would like to share, submit it by opening Microsoft Defender ATP for Mac on your device and navigating to Help > Send feedback.

To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac devices), configure your macOS device running Microsoft Defender ATP to be an "Insider" device. See Enable Microsoft Defender ATP Insider Device.

How to install Microsoft Defender ATP for Mac

Prerequisites

  • A Microsoft Defender ATP subscription and access to the Microsoft Defender Security Center portal
  • Beginner-level experience in macOS and BASH scripting
  • Administrative privileges on the device (in case of manual deployment)

Installation instructions

There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac.

System requirements

The three most recent major releases of macOS are supported.

  • 10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra)
  • Disk space: 1GB

Beta versions of macOS are not supported. macOS Sierra (10.12) support ended on January 1, 2020.

After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.

Licensing requirements

Microsoft Defender Advanced Threat Protection for Mac requires one of the following Microsoft Volume Licensing offers:

  • Microsoft 365 E5 (M365 E5)
  • Microsoft 365 E5 Security
  • Microsoft 365 A5 (M365 A5)

Note

Eligible licensed users may use Microsoft Defender Advanced Threat Protection on up to five concurrent devices. Microsoft Defender Advanced Threat Protection is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it does not require Microsoft Volume Licensing offers listed.

Network connections

The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an allow rule specifically for them.

Item Description
Thumb image for Microsoft Defender ATP URLs spreadsheet
Spreadsheet
The spreadsheet provides specific DNS records for service locations, geographic locations, and OS.

Microsoft Defender ATP can discover a proxy server by using the following discovery methods:

  • Proxy autoconfig (PAC)
  • Web Proxy Autodiscovery Protocol (WPAD)
  • Manual static proxy configuration

If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs.

Warning

Authenticated proxies are not supported. Ensure that only PAC, WPAD, or a static proxy is being used.

SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Mac to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.

To test that a connection is not blocked, open https://x.cp.wd.microsoft.com/api/report and https://cdn.x.cp.wd.microsoft.com/ping in a browser.

If you prefer the command line, you can also check the connection by running the following command in Terminal:

curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'

The output from this command should be similar to the following:

OK https://x.cp.wd.microsoft.com/api/report

OK https://cdn.x.cp.wd.microsoft.com/ping

Caution

We recommend that you keep System Integrity Protection (SIP) enabled on client devices. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default.

Once Microsoft Defender ATP is installed, connectivity can be validated by running the following command in Terminal:

mdatp --connectivity-test

How to update Microsoft Defender ATP for Mac

Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used. To learn more, see Deploy updates for Microsoft Defender ATP for Mac

How to configure Microsoft Defender ATP for Mac

Guidance for how to configure the product in enterprise environments is available in Set preferences for Microsoft Defender ATP for Mac.

macOS kernel and system extensions

In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions. Visit What's new in Microsoft Defender Advanced Threat Protection for Mac for relevant details.

Resources