Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when you're using Microsoft Defender for Endpoint on macOS.
This topic describes the privacy controls available within the product, how to manage these controls with policy settings and more details on the data events that are collected.
Overview of privacy controls in Microsoft Defender for Endpoint on macOS
This section describes the privacy controls for the different types of data collected by Microsoft Defender for Endpoint on macOS.
Diagnostic data
Diagnostic data is used to keep Microsoft Defender for Endpoint secure and up to date, detect, diagnose and fix problems, and also make product improvements.
Some diagnostic data is required, while some diagnostic data is optional. We give you the ability to choose whether to send us required or optional diagnostic data through the use of privacy controls, such as policy settings for organizations.
There are two levels of diagnostic data for Microsoft Defender for Endpoint client software that you can choose from:
Required: The minimum data necessary to help keep Microsoft Defender for Endpoint secure, up to date, and performing as expected on the device it's installed on.
Optional: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues.
By default, only required diagnostic data is sent to Microsoft.
Cloud delivered protection data
Cloud delivered protection is used to provide increased and faster protection with access to the latest protection data in the cloud.
Enabling the cloud-delivered protection service is optional, however it's highly recommended because it provides important protection against malware on your endpoints and across your network.
Sample data
Sample data is used to improve the protection capabilities of the product, by sending Microsoft suspicious samples so they can be analyzed. Enabling automatic sample submission is optional.
When this feature is enabled and the sample that is collected is likely to contain personal information, the user is prompted for consent.
Manage privacy controls with policy settings
If you're an IT administrator, you might want to configure these controls at the enterprise level.
As with any new policy settings, you should carefully test them out in a limited, controlled environment to ensure the settings that you configure have the desired effect before you implement the policy settings more widely in your organization.
Diagnostic data events
This section describes what is considered required diagnostic data and what is considered optional diagnostic data, along with a description of the events and fields that are collected.
Data fields that are common for all events
There's some information about events that is common to all events, regardless of category or data subtype.
The following fields are considered common for all events:
Field
Description
platform
The broad classification of the platform on which the app is running. Allows Microsoft to identify on which platforms an issue may be occurring so that it can correctly be prioritized.
machine_guid
Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted.
sense_guid
Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted.
org_id
Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted.
hostname
Local device name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted.
product_guid
Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product.
app_version
Version of the Microsoft Defender for Endpoint on macOS application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.
sig_version
Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized.
supported_compressions
List of compression algorithms supported by the application, for example ['gzip']. Allows Microsoft to understand what types of compressions can be used when it communicates with the application.
release_ring
Ring that the device is associated with (for example Insider Fast, Insider Slow, Production). Allows Microsoft to identify on which release ring an issue may be occurring so that it can correctly be prioritized.
Required diagnostic data
Required diagnostic data is the minimum data necessary to help keep Microsoft Defender for Endpoint secure, up to date, and perform as expected on the device it's installed on.
Required diagnostic data helps to identify problems with Microsoft Defender for Endpoint that may be related to a device or software configuration. For example, it can help determine if a Microsoft Defender for Endpoint feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Microsoft Defender for Endpoint features are disabled. Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced.
Software setup and inventory data events
Microsoft Defender for Endpoint installation / uninstallation:
The following fields are collected:
Field
Description
correlation_id
Unique identifier associated with the installation.
version
Version of the package.
severity
Severity of the message (for example Informational).
code
Code that describes the operation.
text
Additional information associated with the product installation.
Microsoft Defender for Endpoint configuration:
The following fields are collected:
Field
Description
antivirus_engine.enable_real_time_protection
Whether real-time protection is enabled on the device or not.
antivirus_engine.passive_mode
Whether passive mode is enabled on the device or not.
cloud_service.enabled
Whether cloud delivered protection is enabled on the device or not.
cloud_service.timeout
Time out when the application communicates with the Microsoft Defender for Endpoint cloud.
cloud_service.heartbeat_interval
Interval between consecutive heartbeats sent by the product to the cloud.
cloud_service.service_uri
URI used to communicate with the cloud.
cloud_service.diagnostic_level
Diagnostic level of the device (required, optional).
cloud_service.automatic_sample_submission
Whether automatic sample submission is turned on or not.
cloud_service.automatic_definition_update_enabled
Whether automatic definition update is turned on or not.
edr.early_preview
Whether the device should run EDR early preview features.
edr.group_id
Group identifier used by the detection and response component.
edr.tags
User-defined tags.
features.[optional feature name]
List of preview features, along with whether they're enabled or not.
Product and service usage data events
Security intelligence update report:
The following fields are collected:
Field
Description
from_version
Original security intelligence version.
to_version
New security intelligence version.
status
Status of the update indicating success or failure.
using_proxy
Whether the update was done over a proxy.
error
Error code if the update failed.
reason
Error message if the updated filed.
Product and service performance data events for required diagnostic data
Unexpected application exit (crash):
Collects system information and the state of an application when an application unexpectedly exits.
The following fields are collected:
Field
Description
v1_crash_count
Number of times V1 engine process crashed every hour on client machine
v2_crash_count
Number of times V2 engine process crashed every hour on client machine
EDR_crash_count
Number of times EDR process crashed every hour on client machine
Kernel extension statistics:
The following fields are collected:
Field
Description
version
Version of Microsoft Defender for Endpoint on macOS.
instance_id
Unique identifier generated on kernel extension startup.
trace_level
Trace level of the kernel extension.
subsystem
The underlying subsystem used for real-time protection.
ipc.connects
Number of connection requests received by the kernel extension.
ipc.rejects
Number of connection requests rejected by the kernel extension.
ipc.connected
Whether there's any active connection to the kernel extension.
Support data
Diagnostic logs:
Diagnostic logs are collected only with the consent of the user as part of the feedback submission feature. The following files are collected as part of the support logs:
All files under /Library/Logs/Microsoft/mdatp/
Subset of files under /Library/Application Support/Microsoft/Defender/ that are created and used by Microsoft Defender for Endpoint on macOS
Subset of files under /Library/Managed Preferences that are used by Microsoft Defender for Endpoint on macOS
Optional diagnostic data is additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and fix issues.
If you choose to send us optional diagnostic data, required diagnostic data is also included.
Examples of optional diagnostic data include data Microsoft collects about product configuration (for example number of exclusions set on the device) and product performance (aggregate measures about the performance of components of the product).
Software setup and inventory data events for optional diagnostic data
Microsoft Defender for Endpoint configuration:
The following fields are collected:
Field
Description
connection_retry_timeout
Connection retry time out when communication with the cloud.
file_hash_cache_maximum
Size of the product cache.
crash_upload_daily_limit
Limit of crash logs uploaded daily.
antivirus_engine.exclusions[].is_directory
Whether the exclusion from scanning is a directory or not.
Learn about Microsoft 365 privacy standards, the reasons we have them in place, and how they differentiate Microsoft in protecting and respecting customer data.