Onboard and offboard macOS devices into Compliance solutions using JAMF Pro for Microsoft Defender for Endpoint customers
You can use JAMF Pro to onboard macOS devices into Microsoft Purview solutions.
Important
Use this procedure if you have deployed Microsoft Defender for Endpoint (MDE) to your macOS devices
Applies to:
- Customers who have MDE deployed to their macOS devices.
- Endpoint data loss prevention (DLP)
- Insider risk management
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
Before you begin
- Make sure your macOS devices are managed through JAMF pro and are associated with an identity (Microsoft Entra joined UPN) through JAMF Connect or Microsoft Intune.
- OPTIONAL: Install the v95+ Edge browser on your macOS devices to have native Endpoint DLP support on Edge.
Note
The three most recent major releases of macOS are supported.
Onboard devices into Microsoft Purview solutions using JAMF Pro
Onboarding a macOS device into Compliance solutions is a multi-phase process.
- Update the existing MDE Preference domain profile using the JAMF PRO console
- Enable full-disk access Enable accessibility access to Microsoft Purview data loss prevention
- Check the macOS device
Prerequisites
Download the following files:
File | Description |
---|---|
accessibility.mobileconfig | Accessibility |
fulldisk.mobileconfig | Full disk access (FDA) |
schema.json | MDE preference |
If any of these individual files are updated, you must download the updated bundled file and redeploy as described.
Tip
We recommend downloading the bundled mdatp.mobileconfig file, rather than the individual .mobileconfig files. The bundled file includes the following required files:
- accessibility.mobileconfig
- fulldisk.mobileconfig
- netfilter.mobileconfig
- sysext.mobileconfig
If any of these files are updated, you need to either download the updated bundle, or download each updated file individually.
Note
To download the files:
- Right-click the link and select Save link as....
- Choose a folder and save the file.
Update the existing MDE Preference domain profile using the JAMF PRO console
Replace the schema.json file in the MDE deployment with the updated version that you just downloaded.
Under MDE Preference Domain Properties choose this setting:
- Features
- Use Data Loss Prevention:
enabled
- Use Data Loss Prevention:
- Features
Choose the Scope tab.
Choose the groups to deploy this configuration profile to.
Choose Save.
Enable full-disk access
To update the existing full disk access profile with the fulldisk.mobileconfig
file, upload fulldisk.mobileconfig
to JAMF. For more information, refer to Set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro.
Enable accessibility access to Microsoft Purview data loss prevention
To grant accessibility access to DLP, upload the accessibility.mobileconfig
file you downloaded previously to JAMF, as described in Deploy system configuration profiles.
Check the macOS device
Restart the macOS device.
Open System Preferences > Profiles.
The following profiles are now listed:
- Accessibility
- MAU
- MDATP Onboarding
- MDE Preferences
- Management profile
- Network filter
- Notifications
- System extension profile
Offboard macOS devices using JAMF Pro
Important
Offboarding causes the device to stop sending sensor data to the portal. However, data from the device, including references to any alerts it has had, will be retained for up to six months.
To offboard a macOS device, follow these steps
Under MDE Preference Domain Properties remove the values for these settings
- Features
- Use Data Loss Prevention
- Features
Choose Save.