Onboard and offboard macOS devices into Compliance solutions using JAMF Pro for Microsoft Defender for Endpoint customers

Article
10/31/2023

You can use JAMF Pro to onboard macOS devices into Microsoft Purview solutions.

Important

Use this procedure if you have deployed Microsoft Defender for Endpoint (MDE) to your macOS devices

Applies to:

Customers who have MDE deployed to their macOS devices.
Endpoint data loss prevention (DLP)
Insider risk management

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Before you begin

Make sure your macOS devices are managed through JAMF pro and are associated with an identity (Microsoft Entra joined UPN) through JAMF Connect or Microsoft Intune.
OPTIONAL: Install the v95+ Edge browser on your macOS devices to have native Endpoint DLP support on Edge.

Note

The three most recent major releases of macOS are supported.

Onboard devices into Microsoft Purview solutions using JAMF Pro

Onboarding a macOS device into Compliance solutions is a multi-phase process.

Update the existing MDE Preference domain profile using the JAMF PRO console
Enable full-disk access
Enable accessibility access to Microsoft Purview data loss prevention
Check the macOS device

Prerequisites

Download the following files:

File	Description
accessibility.mobileconfig	Accessibility
fulldisk.mobileconfig	Full disk access (FDA)
schema.json	MDE preference

If any of these individual files are updated, you must download the updated bundled file and redeploy as described.

Tip

We recommend downloading the bundled (mdatp-nokext.mobileconfig) file, rather than the individual .mobileconfig files. The bundled file includes the following required files:

accessibility.mobileconfig
fulldisk.mobileconfig
netfilter.mobileconfig
sysext.mobileconfig

If any of these files are updated, you need to either download the updated bundle, or download each updated file individually.

Note

To download the files:

Right-click the link and select Save link as....
Choose a folder and save the file.

Update the existing MDE Preference domain profile using the JAMF PRO console

Update the schema.xml profile with the schema.json file you just downloaded.
Under MDE Preference Domain Properties choose these settings:
- Features
  - Use Data Loss Prevention: enabled
- Data Loss Prevention
  - Features
    - Set DLP_browser_only_cloud_egress to enabled if you want to monitor only supported browsers for cloud egress operations.
    - Set DLP_ax_only_cloud_egress to enabled if you want to monitor only the URL in the browser address bar (instead of network connections) for cloud egress operations.
Choose the Scope tab.
Choose the groups to deploy this configuration profile to.
Choose Save.

Enable full-disk access

To update the existing full disk access profile with the fulldisk.mobileconfig file, upload fulldisk.mobileconfig to JAMF. For more information, refer to Set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro.

Enable accessibility access to Microsoft Purview data loss prevention

To grant accessibility access to DLP, upload the accessibility.mobileconfig file you downloaded previously to JAMF, as described in Deploy system configuration profiles.

OPTIONAL: Allow sensitive data to pass through forbidden domains

Microsoft Purview DLP checks for sensitive data through all stages of its travels. So, if sensitive data gets posted or sent to an allowed domain, but travels through a forbidden domain, it's blocked. Let's take a closer look.

Say that sending sensitive data via Outlook Live (outlook.live.com) is permissible, but that sensitive data must not be exposed to microsoft.com. However, when a user accesses Outlook Live, the data passes through microsoft.com in the background, as shown:

Screenshot showing the flow of data from source to destination URL.

By default, because the sensitive data passes through microsoft.com on its way to outlook.live.com, DLP automatically blocks the data from being shared.

In some cases, however, you may not be concerned with the domains that data passes through on the back end. Instead, you may only be concerned about where the data ultimately ends up, as indicated by the URL that shows up in the address bar. In this case, outlook.live.com. To prevent sensitive data from being blocked in our example case, you need to specifically change the default setting.

So, if you only want to monitor the browser and the final destination of the data (the URL in the browser address bar), you can enable DLP_browser_only_cloud_egress and DLP_ax_only_cloud_egress. Here's how.

To change the settings to allow sensitive data to pass through forbidden domains on its way to a permitted domain:

Open the com.microsoft.wdav.mobileconfig file.

Under the dlp key, Set DLP_browser_only_cloud_egress to enabled and set DLP_ax_only_cloud_egress to enabled as shown in the following example.

<key>dlp</key>
     <dict>
         <key>features</key>
         <array>
            <dict>
                <key>name</key>
                <string>DLP_browser_only_cloud_egress</string>
                <key>state</key>
                <string>enabled</string>
            </dict>
            <dict>
                <key>name</key>
                <string>DLP_ax_only_cloud_egress</string>
                <key>state</key>
                <string>enabled</string>
            </dict>
         </array>
     </dict>

Check the macOS device

Restart the macOS device.
Open System Preferences > Profiles.
The following profiles are now listed:
- Accessibility
- Full Disk Access
- Kernel Extension Profile
- MAU
- MDATP Onboarding
- MDE Preferences
- Management profile
- Network filter
- Notifications
- System extension profile

Offboard macOS devices using JAMF Pro