Επεξεργασία

Κοινή χρήση μέσω


Manual deployment for Microsoft Defender for Endpoint on macOS

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

This article describes how to deploy Microsoft Defender for Endpoint on macOS manually. A successful deployment requires the completion of all of the following steps:

Prerequisites and system requirements

Before you get started, see the main Microsoft Defender for Endpoint on macOS page for a description of prerequisites and system requirements for the current software version.

Download installation and onboarding packages

Download the installation and onboarding packages from Microsoft Defender portal.

Warning

Repackaging the Defender for Endpoint installation package is not a supported scenario. Doing so can negatively impact the integrity of the product and lead to adverse results, including but not limited to triggering tampering alerts and updates failing to apply.

  1. In Microsoft Defender portal, go to Settings > Endpoints > Device management > Onboarding.

  2. In Section 1 of the page, set operating system to macOS and Deployment method to Local script.

  3. In Section 2 of the page, select Download installation package. Save it as wdav.pkg to a local directory.

  4. In Section 2 of the page, select Download onboarding package. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. Screenshot that shows the options to download the installation and onboarding packages.

  5. From a command prompt, verify that you have the two files.

    • Type cd Downloads and press Enter.
    • Type ls and press Enter. Screenshot that displays the two download files.
  6. Copy the wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.sh to the device where you want to deploy the Microsoft Defender for Endpoint on macOS.

Application installation (macOS 11 and newer versions)

To complete this process, you must have admin privileges on the device.

  1. Do one of the following steps:

    • Navigate to the downloaded wdav.pkg in Finder and open it.

    Or

    • You can download the wdav.pkg- from Terminal

      sudo installer -store -pkg /Users/admin/Downloads/wdav.pkg -target /
      

    Screenshot that shows the installation process for the application

  2. Select Continue.

  3. Read through the Software License Agreement and select Continue to agree with the terms.

    Screenshot that shows the Software License Agreement.

  4. Read through the End-User License Agreement (EULA) and select Agree.

    Screenshot that shows the acceptance of the agreement.

  5. From Destination Select, select the disk where you want to install the Microsoft Defender Software, for example, Macintosh HD and select Continue.

    Screenshot that shows the selection of destination for installation.

    Note

    The amount of disk space required for installation is around 777 MB.

  6. To change the installation destination, select Change Install Location....

    Screenshot that shows the final installation step.

  7. Click Install.

  8. Enter the password, when prompted.

    Screenshot that shows the password dialog box.

  9. Click Install Software.

  10. At the end of the installation process, for macOS Big Sur (11.0) or latest version, you're prompted to approve the system extensions used by the product. Select Open Security Preferences.

    Screenshot that shows the system extension approval

  11. To enable system extension, select Details.

    Screenshot that shows the system extension.

  12. From the Security & Privacy window, select the checkboxes next to Microsoft Defender and select OK.

    Screenshot that shows the security and privacy window.

  13. Repeat steps 11 and 12 for all system extensions distributed with Microsoft Defender for Endpoint on Mac.

  14. As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on Mac inspects socket traffic and reports this information to the Microsoft Defender portal. When prompted to grant Microsoft Defender for Endpoint permissions to filter network traffic, select Allow.

    Screenshot that shows the system extension security preferences2

    To troubleshoot System Extension issues, refer Troubleshoot System Extension.

Allow Full Disk Access

The macOS Catalina (10.15) and newer versions require full disk access to be granted to Microsoft Defender for Endpoint in order to be able to protect and monitor.

Note

Full disk access grant to Microsoft Defender for Endpoint is a new requirement for all the third-party software by Apple for files and folders containing personal data.

To grant full disk access:

  1. Open System Preferences > Security & Privacy > Privacy > Full Disk Access. Click the lock icon to make changes (bottom of the dialog box).

  2. Grant Full Disk Access permission to Microsoft Defender and Microsoft Defenders Endpoint Security Extension.

    The screenshot shows the full disk access's security and privacy.

  3. Select General > Restart for the new system extensions to take effect.

    Screenshot that allows you to restart the system for new system extensions to be enabled.

  4. Enable Potentially Unwanted Application (PUA) in block mode.

    To enable PUA, refer configure PUA protection.

  5. Enable Network Protection.

    To enable Network protection, refer manual deployment.

  6. Enable Device Control.

    To enable Device Control, refer device control for macOS.

  7. Enable Tamper Protection in block mode.

    To enable Tamper Protection, refer Protect MacOS security settings with tamper protection.

  8. If you have the Microsoft Purview – Endpoint data loss prevention license, you can review Get started with Microsoft Purview - Endpoint data loss prevention.

Background execution

Starting with macOS 13, a user must explicitly allow an application to run in background. macOS will pop a prompt up, telling the user that Microsoft Defender can run in background.

Screenshot that shows background items notification

You can view applications permitted to run in background in System Settings => Login Items => Allow in the Background at any time:

Screenshot that shows background items

Make sure all Microsoft Defender and Microsoft Corporation items are enabled. If they are disabled then macOS will not start Microsoft Defender after a machine restart.

Bluetooth permissions

Starting with macOS 14, a user must explicitly allow an application to access Bluetooth. macOS will pop a prompt up, telling the user that Microsoft Defender can access Bluetooth (applies only if you use Bluetooth based policies for Device Control). Click Allow to grant Microsoft Defender to access Bluetooth.

Screenshot that shows Bluetooth access request

You can confirm that permissions are granted in System Settings => Privacy Settings => Bluetooth.

Screenshot that shows Review Bluetooth access

Onboarding Package

Once you have installed the MDE on macOS client, you must now onboard the package, which registers to your Microsoft Defender for Endpoint tenant and licenses it.

  1. Verify if MDE on macOS has already been onboarded.

    Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.sh to the device where you have deployed Microsoft Defender for Endpoint on macOS.

    The client device isn't associated with org_id. The org_id attribute is blank.

    mdatp health --field org_id
    
  2. Run the Bash script to install the onboarding package:

    sudo bash -x MicrosoftDefenderATPOnboardingMacOs.sh
    
  3. Verify that the device is now associated with your organization and reports a valid org ID:

    mdatp health --field org_id
    

    After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.

    Screenshot that shows the Microsoft Defender icon in status bar

    You can troubleshoot license issues for Microsoft Defender for Endpoint on macOS.

  4. Run the connectivity test.

    mdatp connectivity test
    

You can troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on macOS.

Verifying anti-malware detection

See the following article to test for anti-malware detection review: Antivirus detection test to verify device onboarding and reporting services

Verifying EDR detection

See the following article to test for an EDR detection review: EDR detection test to verify device onboarding and reporting services.

Logging installation issues

For more information on how to find the automatically generated log that's created by the installer, see Logging installation issues.

For information on troubleshooting procedures, see:

Uninstallation

See Uninstalling for details on how to remove Microsoft Defender for Endpoint on macOS from client devices.

Tip

  • Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
  • If you have any feedback that you will like to share, submit it by opening Microsoft Defender Endpoint on Mac on your device and navigate to Help > Send feedback.