Onboard and offboard macOS devices into Microsoft Purview solutions using JAMF Pro

  • Straipsnis

You can use JAMF Pro to onboard macOS devices into Microsoft Purview solutions such as Endpoint data loss prevention (DLP).

Important

Use this procedure if you do not have Microsoft Defender for Endpoint (MDE) deployed to your macOS devices.

Applies to:

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Before you begin

  • Make sure your macOS devices are managed through JAMF pro and are associated with an identity (Microsoft Entra joined UPN) through JAMF Connect or Microsoft Intune.
  • OPTIONAL: Install the v95+ Microsoft Edge browser on your macOS devices for native Endpoint DLP support on Microsoft Edge.

Note

The three most recent major releases of macOS are supported.

Onboard devices into Microsoft Purview solutions using JAMF Pro

Onboarding a macOS device into Microsoft Purview solutions is a multi-phase process:

  1. Deploy onboarding packages
  2. Configure application preferences
  3. Upload the installation package
  4. Deploy System Configuration Profiles

Prerequisites

Download the following files.

File Description
mdatp-nokext.mobileconfig This is the bundled file.
schema.json This is the MDE preference file.

Tip

We recommend downloading the bundled (mdatp-nokext.mobileconfig) file, rather than the individual .mobileconfig files. The bundled file includes the following required files:

  • accessibility.mobileconfig
  • fulldisk.mobileconfig
  • netfilter.mobileconfig
  • sysext.mobileconfig

If any of these files are updated, you need to either download the updated bundle, or download each updated file individually.

Note

To download the files:

  1. Right-click the link and select Save link as....
  2. Choose a folder and save the file.

Get the device onboarding and installation packages

Screenshot of the Microsoft Intune Configuration settings tab with all fields populated.

  1. In the compliance portal, open Settings > Device Onboarding and then choose Onboarding.

  2. For the Select operating system to start onboarding process value, choose macOS.

  3. For Deployment method, choose Mobile Device Management/Microsoft Intune.

  4. Choose Download onboarding package and then extract the contents of the device onboarding package. the DeviceComplianceOnboarding.plist file is downloaded to the JAMF folder.

  5. Choose Download installation package.

Deploy onboarding packages

  1. Create a new configuration profile in JAMF Pro. Refer to the JAMF Pro documentation. Use the following values:

    • Name: MDATP onboarding for macOS
    • Description: *MDATP EDR onboarding for macOS
    • Category: none
    • Distribution method: *`install automatically
    • Level: computer level

  2. In the navigation pane, select Application and Custom Settings and then choose Upload.

  3. Choose Add. For Preference Domain, enter com.microsoft.wdav.atp

  4. Choose Upload, and select DeviceComplianceOnboarding.plist.

  5. Choose Save.

Configure application preferences

Important

You must use com.microsoft.wdav as the Preference Domain value. Microsoft Defender for Endpoint uses this name and com.microsoft.wdav.ext to load the managed settings.

  1. Sign in to JAMF Pro to create a new configuration profile in JAMF Pro. Refer to the JAMF Pro documentation for more information. Use these values:

    • Name: MDATP MDAV configuration settings
    • Description: Leave this blank
    • Category: none
    • Distribution method: install automatically
    • Level: computer level

  2. In the navigation pane, select Application and Custom Settings and then choose External Applications.

  3. Choose Add and then choose Custom Schema. For Preference domain, enter com.microsoft.wdav.

    Screenshot of the External Applications page.

  4. Choose Add Schema and then select the schema.json file you downloaded from GitHub.

  5. Choose Save.

  6. Under Preference Domain Properties manually update the settings as follows:

    • Features

      • For Data Loss Prevention, select enabled and then choose Save.

    • Data Loss Prevention

      • Features
        • Set DLP_browser_only_cloud_egress to enabled if you want to monitor only supported browsers for cloud egress operations.
        • Set DLP_ax_only_cloud_egress to enabled if you want to monitor only the URL in the browser address bar (instead of network connections) for cloud egress operations.

    • Antivirus engine
      If you are only deploying data loss prevention, and not MDE, take the following steps:

      • Choose Real-time Protection.
      • Choose Passive mode.
      • Choose Apply.

  7. Enter a name for the configuration profile and then choose Save.

  8. On the next page, choose the Scope tab, select the appropriate targets for this configuration profile, and then choose Save.

OPTIONAL: Allow sensitive data to pass through forbidden domains

Microsoft Purview DLP checks for sensitive data through all stages of its travels. So, if sensitive data gets posted or sent to an allowed domain, but travels through a forbidden domain, it's blocked. Let's take a closer look.

Say that sending sensitive data via Outlook Live (outlook.live.com) is permissible, but that sensitive data must not be exposed to microsoft.com. However, when a user accesses Outlook Live, the data passes through microsoft.com in the background, as shown:

Screenshot showing the flow of data from source to destination URL.

By default, because the sensitive data passes through microsoft.com on its way to outlook.live.com, DLP automatically blocks the data from being shared.

In some cases, however, you may not be concerned with the domains that data passes through on the back end. Instead, you may only be concerned about where the data ultimately ends up, as indicated by the URL that shows up in the address bar. In this case, outlook.live.com. To prevent sensitive data from being blocked in our example case, you need to specifically change the default setting.

So, if you only want to monitor the browser and the final destination of the data (the URL in the browser address bar), you can enable DLP_browser_only_cloud_egress and DLP_ax_only_cloud_egress. Here's how.

To change the settings to allow sensitive data to pass through forbidden domains on its way to a permitted domain:

  1. Open the com.microsoft.wdav.mobileconfig file.

  2. Under the dlp key, Set DLP_browser_only_cloud_egress to enabled and set DLP_ax_only_cloud_egress to enabled as shown in the following example.

    <key>dlp</key>
     <dict>
         <key>features</key>
         <array>
            <dict>
                <key>name</key>
                <string>DLP_browser_only_cloud_egress</string>
                <key>state</key>
                <string>enabled</string>
            </dict>
            <dict>
                <key>name</key>
                <string>DLP_ax_only_cloud_egress</string>
                <key>state</key>
                <string>enabled</string>
            </dict>
         </array>
     </dict>

Deploy system configuration profiles

  1. On the Configuration Profiles page of the JAMF Pro console, select Upload and then choose File.

  2. Select the mdatp-nokext.mobileconfig file, choose Open, and then choose Upload.

Upload the installation package

  1. In the JAMF Pro console, navigate to Management Settings > Packages and then choose New.

  2. Enter a display name for the package, and (optionally) select a category.

  3. Under Filename select Choose File.

  4. Select the wdav.pkg installation package file and then choose Save.

  5. Navigate to Computers > Policies and choose New.

  6. In the left navigation pane, choose Packages.

  7. From the Packages list, select the installation package from Step 4.

  8. For the Action choose Install.

  9. Choose the Scope tab and then target computers before choosing Save.

  10. On the General page, enter a name for the new policy.

Offboard macOS devices using JAMF Pro

Important

Offboarding causes the device to stop sending sensor data to the portal. However, data from the device, including references to any alerts it has had, will be retained for up to six months.

  1. If you are not using MDE, uninstall the application. See the Package Deployment section in the JAMF Pro documentation.

  2. Restart the macOS device. (Some applications may lose printing functionality until they're restarted.)