Deploy Microsoft Defender for Endpoint on macOS with Microsoft Intune

Applies to:

This topic describes how to deploy Microsoft Defender for Endpoint on macOS through Microsoft Intune. A successful deployment requires the completion of all of the following steps:

  1. Download the onboarding package
  2. Client device setup
  3. Approve system extensions
  4. Create System Configuration profiles
  5. Publish application

Prerequisites and system requirements

Before you get started, see the main Microsoft Defender for Endpoint on macOS page for a description of prerequisites and system requirements for the current software version.

Note

Microsoft Defender for Endpoint no longer supports macOS Catalina (10.15) as Apple ended support for Catalina (10.15) in December 2022.

Overview

The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender for Endpoint on Macs, via Microsoft Intune. More detailed steps are available below.

Step Sample file names BundleIdentifier
Download the onboarding package WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml com.microsoft.wdav.atp
Approve System Extension for Microsoft Defender for Endpoint MDATP_SysExt.xml N/A
Network Extension policy MDATP_NetExt.xml N/A
Configure Microsoft AutoUpdate (MAU) MDATP_Microsoft_AutoUpdate.xml com.microsoft.autoupdate2
Microsoft Defender for Endpoint configuration settings

Note: If you're planning to run a third-party AV for macOS, set passiveMode to true.

MDATP_WDAV_and_exclusion_settings_Preferences.xml com.microsoft.wdav
Configure Microsoft Defender for Endpoint and MS AutoUpdate (MAU) notifications MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig com.microsoft.autoupdate2 or com.microsoft.wdav.tray

Download the onboarding package

Download the onboarding packages from Microsoft 365 Defender portal:

  1. In Microsoft 365 Defender portal, go to Settings > Endpoints > Device management > Onboarding.

  2. Set the operating system to macOS and the deployment method to Mobile Device Management / Microsoft Intune.

    The Onboarding settings page

  3. Select Download onboarding package. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.

  4. Extract the contents of the .zip file:

    unzip WindowsDefenderATPOnboardingPackage.zip
    
    Archive:  WindowsDefenderATPOnboardingPackage.zip
    warning:  WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
      inflating: intune/kext.xml
      inflating: intune/WindowsDefenderATPOnboarding.xml
      inflating: jamf/WindowsDefenderATPOnboarding.plist
    

Create System Configuration profiles

The next step is to create system configuration profiles that Microsoft Defender for Endpoint needs. In the Microsoft Intune admin center, open Devices > Configuration profiles.

Onboarding blob

This profile contains a license information for Microsoft Defender for Endpoint. Without license information, Microsoft Defender for Endpoint will report that it is not licensed.

  1. Select Create Profile under Configuration Profiles.

  2. Select Platform=macOS, Profile type=Templates. Template name=Custom. Click Create.

  3. Choose a name for the profile, e.g., "Defender for Cloud or Endpoint onboarding for macOS". Click Next.

  4. Choose a name for the configuration profile name, e.g., "Defender for Endpoint onboarding for macOS".

  5. Choose a deployment channel.

  6. Select intune/WindowsDefenderATPOnboarding.xml that you extracted from the onboarding package above as configuration profile file.

  7. Click Next.

  8. Assign devices on the Assignment tab. Click Next.

  9. Review and Create.

  10. Open Devices > Configuration profiles, you can see your created profile there.

Approve System Extensions

This profile is needed for macOS 11 (Big Sur) or later. It will be ignored on older macOS.

  1. Select Create Profile under Configuration Profiles.

  2. Select Platform=macOS, Profile type=Templates. Template name=Extensions. Click Create.

  3. In the Basics tab, give a name to this new profile.

  4. In the Configuration settings tab, expand System Extensions add the following entries in the Allowed system extensions section:

    Bundle identifier Team identifier
    com.microsoft.wdav.epsext UBF8T346G9
    com.microsoft.wdav.netext UBF8T346G9
  5. In the Assignments tab, assign this profile to All Users & All devices.

  6. Review and create this configuration profile.

Full Disk Access

Note

Enabling TCC (Transparency, Consent & Control) through an Mobile Device Management solution such as Intune, will eliminate the risk of Defender for Endpoint losing Full Disk Access Authorization to function properly.

This configuration profile grants Full Disk Access to Microsoft Defender for Endpoint. If you previously configured Microsoft Defender for Endpoint through Intune, we recommend you update the deployment with this configuration profile.

Download fulldisk.mobileconfig from our GitHub repository.

Follow the instructions for Onboarding blob from above, using "Defender for Endpoint Full Disk Access" as profile name, and downloaded fulldisk.mobileconfig as Configuration profile name.

Network Filter

As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on macOS inspects socket traffic and reports this information to the Microsoft 365 Defender portal. The following policy allows the network extension to perform this functionality.

Download netfilter.mobileconfig from our GitHub repository.

Follow the instructions for Onboarding blob from above, using "Defender for Endpoint Network Filter" as profile name, and downloaded netfilter.mobileconfig as Configuration profile name.

Notifications

This profile is used to allow Microsoft Defender for Endpoint on macOS and Microsoft Auto Update to display notifications in UI.

Download notif.mobileconfig from our GitHub repository.

Follow the instructions for Onboarding blob from above, using "Defender for Endpoint Notifications" as profile name, and downloaded notif.mobileconfig as Configuration profile name.

Background Services

Caution

macOS 13 (Ventura) contains new privacy enhancements. Beginning with this version, by default, applications cannot run in background without explicit consent. Microsoft Defender for Endpoint must run its daemon process in background.

This configuration profile grants Background Service permissions to Microsoft Defender for Endpoint. If you previously configured Microsoft Defender for Endpoint through Microsoft Intune, we recommend you update the deployment with this configuration profile.

Download background_services.mobileconfig from our GitHub repository.

Follow the instructions for Onboarding blob from above, using "Defender for Background Services" as profile name, and downloaded background_services.mobileconfig as Configuration profile name.

View Status

Once the Intune changes are propagated to the enrolled devices, you can see them listed under Monitor > Device status:

Publish application

This step enables deploying Microsoft Defender for Endpoint to enrolled machines.

  1. In the Microsoft Intune admin center, open Apps.

  2. Select By platform > macOS > Add.

  3. Choose App type=macOS, click Select.

  4. Keep default values, click Next.

  5. Add assignments, click Next.

  6. Review and Create.

  7. You can visit Apps > By platform > macOS to see it on the list of all applications.

For more information, see Add Microsoft Defender for Endpoint to macOS devices using Microsoft Intune.)

Caution

You have to create all required configuration profiles and push them to all machines, as explained above.

Client device setup

You don't need any special provisioning for a Mac device beyond a standard Company Portal installation.

  1. Confirm device management.

    Select Open System Preferences, locate Management Profile on the list, and select Approve.... Your Management Profile would be displayed as Verified:

    The Management profile page

  2. Select Continue and complete the enrollment.

    You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.

  3. In Intune, open Manage > Devices > All devices. Here you can see your device among those listed:

Verify client device state

  1. After the configuration profiles are deployed to your devices, open System Preferences > Profiles on your Mac device.

    The System Preferences Profiles page

  2. Verify that the following configuration profiles are present and installed. The Management Profile should be the Intune system profile. Wdav-config and wdav-kext are system configuration profiles that were added in Intune:

    The Profiles page

  3. You should also see the Microsoft Defender for Endpoint icon in the top-right corner:



Troubleshooting

Issue: No license found.

Solution: Follow the steps above to create a device profile using WindowsDefenderATPOnboarding.xml.

Logging installation issues

For more information on how to find the automatically generated log that is created by the installer when an error occurs, see Logging installation issues.

Uninstallation

See Uninstalling for details on how to remove Microsoft Defender for Endpoint on macOS from client devices.