Onboard and offboard macOS devices into Compliance solutions using JAMF Pro for Microsoft Defender for Endpoint customers

You can use JAMF Pro to onboard macOS devices into Microsoft Purview solutions.

Important

Use this procedure if you have deployed Microsoft Defender for Endpoint (MDE) to your macOS devices

Applies to:

Tip

If you're not an E5 customer, you can try all the premium features in Microsoft Purview for free. Use the 90-day Purview solutions trial to explore how robust Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Before you begin

Onboard devices into Microsoft Purview solutions using JAMF Pro

Onboarding a macOS device into Compliance solutions is a multi phase process.

Download the configuration files

  1. You'll need these files for this procedure.
file needed for source
accessibility accessibility.mobileconfig
full disk access fulldisk.mobileconfig
MDE preference schema.json

Tip

You can download the .mobileconfig files individually or in single combined file that contains:

  • accessibility.mobileconfig
  • fulldisk.mobileconfig

If any of these individual files is updated, you'd need to download the either the combined file again or the single updated file individually.

Update the existing MDE Preference domain profile using the JAMF PRO console

  1. Update the schema.xml profile with the schema.json file you just downloaded.

  2. Under MDE Preference Domain Properties choose these settings

    • Features
      • Use System Extensions: enabled - required for network extensions on Catalina
      • Use Data Loss Prevention: enabled
  3. Choose the Scope tab.

  4. Choose the groups to deploy this configuration profile to.

  5. Choose Save.

Update the configuration profile for Grant full disk access

  1. Update the existing full disk access profile with the fulldisk.mobileconfig file.

  2. Upload the fulldisk.mobileconfig file to JAMF. Refer to Deploying Custom Configuration Profiles using JAMF Pro.

Grant accessibility access to DLP

  1. Use the accessibility.mobileconfig file you previously downloaded.

  2. Upload to JAMF as described in Deploying Custom Configuration Profiles using Jamf Pro.

Check the macOS device

  1. Restart the macOS device.

  2. Open System Preferences > Profiles.

  3. You should see:

    • Accessiblity
    • Full Disk Access
    • Kernel Extension Profile
    • MAU
    • MDATP Onboarding
    • MDE Preferences
    • Management profile
    • Network filter
    • Notifications
    • System extension profile

Offboard macOS devices using JAMF Pro

Important

Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.

To offboard a macOS device, follow these steps

  1. Under MDE Preference Domain Properties remove the values for these settings

    • Features
      • Use System Extensions
      • Use Data Loss Prevention
  2. Choose Save.