Uredi

Deli z drugimi prek


Troubleshoot system extension issues in Microsoft Defender for Endpoint on macOS

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

You can submit feedback by opening Microsoft Defender for Endpoint on Mac on your device and by navigating to Help > Send feedback.

Another option is to submit feedback via the Microsoft Defender XDR by launching security.microsoft.com and selecting the Give feedback tab.

This article provides information on how to troubleshoot issues with the system extension that's installed as part of Microsoft Defender for Endpoint on macOS.

Starting with macOS BigSur (11), Apple's macOS requires all system extensions to be explicitly approved before they're allowed to run on the device.

Symptom

You'll notice that the Microsoft Defender for Endpoint has an x symbol in the shield, as shown in the following screenshot:

The Microsoft Defender for Endpoint screen that displays the x symbol on its menu.

If you click the shield with the x symbol, you'll get options as shown in the following screenshot:

The options you get on clicking the x symbol.

Click Action needed.

The screen as shown in the following screenshot appears:

The screen that is displayed on clicking the Action needed option.

You can also run mdatp health: It reports if real-time protection is enabled but not available. This report indicates that the system extension isn't approved to run on your device.

mdatp health

The output on running mdatp health is:

healthy                            : false
health_issues                    : ["no active event provider", "network event provider not running", "full disk access has not been granted"]
...
real_time_protection_enabled    : unavailable
real_time_protection_available: unavailable
...
full_disk_access_enabled        : false

The output report displayed on running mdatp health is shown in the following screenshot:

The screen that is displayed on clicking the Fix button.

Cause

macOS requires that a user manually and explicitly approves certain functions that an application uses, for example, system extensions, running in background, sending notifications, full disk access, and so on. Microsoft Defender for Endpoint relies on these applications and can't properly function until all these consents are received from a user.

If you didn't approve the system extension during the deployment/installation of Microsoft Defender for Endpoint on macOS, perform the following steps:

  1. Check the system extensions by running the following command in the terminal:

    systemextensionsctl list
    

    The screen that shows what should be done to check the system extension.

You'll notice that both Microsoft Defender for Endpoint on macOS extensions are in the [activated waiting for user] state.

  1. In the terminal, run the following command:

    mdatp health --details system_extensions
    

You'll get the following output:

network_extension_enabled                 : false
network_extension_installed                 : true
endpoint_security_extension_ready           : false
endpoint_security_extension_installed        : true

This output is shown in the following screenshot:

The output regarding details system extensions.

The following files might be missing if you're managing it via Intune, JamF, or another MDM solution:

MobileConfig (Plist) "mdatp health" console command output macOS setting needed for MDE on macOS to function properly
"/Library/Managed Preferences/com.apple.system-extension-policy.plist" real_time_protection_subsystem System extension
"/Library/Managed Preferences/com.apple.webcontent-filter.plist" network_events_subsystem Network Filter extension
"/Library/Managed Preferences/com.apple.TCC.configuration-profile-policy.plist" full_disk_access_enabled Privacy Preference Policy Controls (PPPC, aka TCC (Transparency, Consent & Control), Full Disk Access (FDA))
"/Library/Managed Preferences/com.apple.notificationsettings.plist" n/a End-user notifications
"/Library/Managed Preferences/servicemanagement.plist" n/a Background services
"/Library/Managed Preferences/com.apple.TCC.configuration-profile-policy.plist" full_disk_access_enabled (for DLP) Accessibility

To troubleshoot the issue of missing files to make Microsoft Defender for Endpoint on macOS work properly, see Microsoft Defender for Endpoint on Mac.

Solution

This section describes the solution of approving the functions such system extension, background services, notifications, full disk access, and so on using the management tools, namely Intune, JamF, Other MDM, and using the method of manual deployment. To perform these functions using these management tools, see:

Prerequisites

Prior to approving the system extension (using any of the specified management tools), ensure that the following prerequisites are fulfilled:

Step 1: Are the profiles coming down to your macOS?

If you're using Intune, see Manage macOS software update policies in Intune.

The screen on which you refresh the devices.

  1. Click the ellipses (three dots).

  2. Select Refresh devices. The screen as shown in the following screenshot appears:

    The screen that appears on clicking Refresh devices.

  3. In Launchpad, type System Preferences.

  4. Double-click Profiles.

    Note

    If you aren't MDM joined, you won't see Profiles as an option. Contact your MDM support team to see why the Profiles option isn't visible. You should be able to see the different profiles such as System Extensions, Accessibility, Background Services, Notifications, Microsoft AutoUpdate, and so on, as shown in the preceding screenshot.

If you're using JamF, use sudo jamf policy. For more information, see Policy Management.

Step 2: Ensure that the profiles needed for Microsoft Defender for Endpoint are enabled

The section Sections that provide guidance on enabling profiles needed for Microsoft Defender for Endpoint provides guidance on how to address this issue, depending on the method that you used to deploy Microsoft Defender for Endpoint on macOS.

Note

A proper naming convention for your configuration profiles is a real advantage. We recommend the following naming scheme: Name of the Setting(s) [(additional info)] -Platform - Set - Policy-Type For example, FullDiskAccess (piloting) - macOS - Default - MDE

Using the recommended naming convention enables you to confirm that the correct profiles are dropping down at the time of checking.

Tip

To ensure that the correct profiles are coming down, instead of typing .mobileconfig (plist), you can download this profile from Github, to avoid typos elongated hyphens.

In terminal, enter the following syntax:

curl -O https://URL

For example,

   curl -O https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/sysext.mobileconfig
Sections that provide guidance on enabling profiles needed for Microsoft Defender for Endpoint

Step 3: Test the installed profiles using macOS built-in 'profile' tool. It compares your profiles with what we have published in GitHub, reporting inconsistent profiles or profiles missing altogether

  1. Download the script from https://github.com/microsoft/mdatp-xplat/tree/master/macos/mdm.
  2. Click Raw. The new URL will be https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mdm/analyze_profiles.py.
  3. Save it as analyze_profiles.py to Downloads by running the following command in terminal:
   curl -O https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mdm/analyze_profiles.py
  1. Run the profile analyzer python3 script without any parameters by executing the following command in terminal:
   cd /Downloads  
   sudo python3 analyze_profiles.py

Note

Sudo permissions are required to execute this command.

OR

  1. Run the script directly from the Web by executing the following command:
   sudo curl https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mdm/analyze_profiles.py        
| python3 -

Note

Sudo permissions are required to execute this command.

The output will show all potential issues with profiles.