Onboard and offboard macOS devices into Compliance solutions using JAMF Pro for Microsoft Defender for Endpoint customers

You can use JAMF Pro to onboard macOS devices into Microsoft Purview solutions.


Use this procedure if you have deployed Microsoft Defender for Endpoint (MDE) to your macOS devices

Applies to:


If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Before you begin

  • Make sure your macOS devices are managed through JAMF pro and are associated with an identity (Microsoft Entra joined UPN) through JAMF Connect or Microsoft Intune.
  • OPTIONAL: Install the v95+ Edge browser on your macOS devices to have native Endpoint DLP support on Edge.


The three most recent major releases of macOS are supported.

Onboard devices into Microsoft Purview solutions using JAMF Pro

Onboarding a macOS device into Compliance solutions is a multi-phase process.

  1. Update the existing MDE Preference domain profile using the JAMF PRO console
  2. Enable full-disk access
  3. Enable accessibility access to Microsoft Purview data loss prevention
  4. Check the macOS device


Download the following files:

File Description
accessibility.mobileconfig Accessibility
fulldisk.mobileconfig Full disk access (FDA)
schema.json MDE preference

If any of these individual files are updated, you must download the updated bundled file and redeploy as described.


We recommend downloading the bundled (mdatp-nokext.mobileconfig) file, rather than the individual .mobileconfig files. The bundled file includes the following required files:

  • accessibility.mobileconfig
  • fulldisk.mobileconfig
  • netfilter.mobileconfig
  • sysext.mobileconfig

If any of these files are updated, you need to either download the updated bundle, or download each updated file individually.


To download the files:

  1. Right-click the link and select Save link as....
  2. Choose a folder and save the file.

Update the existing MDE Preference domain profile using the JAMF PRO console

  1. Update the schema.xml profile with the schema.json file you just downloaded.

  2. Under MDE Preference Domain Properties choose these settings:

    • Features
      • Use Data Loss Prevention: enabled
    • Data Loss Prevention
      • Features
        • Set DLP_browser_only_cloud_egress to enabled if you want to monitor only supported browsers for cloud egress operations.
        • Set DLP_ax_only_cloud_egress to enabled if you want to monitor only the URL in the browser address bar (instead of network connections) for cloud egress operations.
  3. Choose the Scope tab.

  4. Choose the groups to deploy this configuration profile to.

  5. Choose Save.

Enable full-disk access

To update the existing full disk access profile with the fulldisk.mobileconfig file, upload fulldisk.mobileconfig to JAMF. For more information, refer to Deploying Custom Configuration Profiles using JAMF Pro.

Enable accessibility access to Microsoft Purview data loss prevention

To grant accessibility access to DLP, upload the accessibility.mobileconfig file you downloaded previously to JAMF, as described in Deploying Custom Configuration Profiles using JAMF Pro.

OPTIONAL: Allow sensitive data to pass through forbidden domains

Microsoft Purview DLP checks for sensitive data through all stages of its travels. So, if sensitive data gets posted or sent to an allowed domain, but travels through a forbidden domain, it's blocked. Let's take a closer look.

Say that sending sensitive data via Outlook Live (outlook.live.com) is permissible, but that sensitive data must not be exposed to microsoft.com. However, when a user accesses Outlook Live, the data passes through microsoft.com in the background, as shown:

Screenshot showing the flow of data from source to destination URL.

By default, because the sensitive data passes through microsoft.com on its way to outlook.live.com, DLP automatically blocks the data from being shared.

In some cases, however, you may not be concerned with the domains that data passes through on the back end. Instead, you may only be concerned about where the data ultimately ends up, as indicated by the URL that shows up in the address bar. In this case, outlook.live.com. To prevent sensitive data from being blocked in our example case, you need to specifically change the default setting.

So, if you only want to monitor the browser and the final destination of the data (the URL in the browser address bar), you can enable DLP_browser_only_cloud_egress and DLP_ax_only_cloud_egress. Here's how.

To change the settings to allow sensitive data to pass through forbidden domains on its way to a permitted domain:

  1. Open the com.microsoft.wdav.mobileconfig file.

  2. Under the dlp key, Set DLP_browser_only_cloud_egress to enabled and set DLP_ax_only_cloud_egress to enabled as shown in the following example.


Check the macOS device

  1. Restart the macOS device.

  2. Open System Preferences > Profiles.

  3. The following profiles are now listed:

    • Accessibility
    • Full Disk Access
    • Kernel Extension Profile
    • MAU
    • MDATP Onboarding
    • MDE Preferences
    • Management profile
    • Network filter
    • Notifications
    • System extension profile

Offboard macOS devices using JAMF Pro


Offboarding causes the device to stop sending sensor data to the portal. However, data from the device, including references to any alerts it has had, will be retained for up to six months.

To offboard a macOS device, follow these steps

  1. Under MDE Preference Domain Properties remove the values for these settings

    • Features
      • Use System Extensions
      • Use Data Loss Prevention
  2. Choose Save.