Set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro

Step 1: Get the Microsoft Defender for Endpoint onboarding package

1. In Microsoft 365 Defender, navigate to Settings > Onboarding.
2. Select macOS as the operating system and Mobile Device Management / Microsoft Intune as the deployment method.

   

3. Select Download onboarding package (WindowsDefenderATPOnboardingPackage.zip).
4. Extract WindowsDefenderATPOnboardingPackage.zip.
5. Copy the file to your preferred location. For example, C:\Users\JaneDoe_or_JohnDoe.contoso\Downloads\WindowsDefenderATPOnboardingPackage_macOS_MDM_contoso\jamf\WindowsDefenderATPOnboarding.plist.

Step 2: Create a configuration profile in Jamf Pro using the onboarding package

1. Locate the file WindowsDefenderATPOnboarding.plist from the previous section.

   

2. Sign in to Jamf Pro, navigate to Computers > Configuration Profiles, and select New.

   

3. Enter the following details:

   General:

   • Name: MDATP onboarding for macOS
   • Description: MDATP EDR onboarding for macOS
   • Category: None
   • Distribution Method: Install Automatically
   • Level: Computer Level
4. Navigate to the Application & Custom Settings page and select Upload > Add.

   

5. Select Upload File (PLIST file) then in Preference Domain enter: com.microsoft.wdav.atp.

   

   

6. Select Open and select the onboarding file.

   

7. Select Upload.

   

8. Select the Scope tab.

   

9. Select the target computers.

   

   

10. Select Save.

    

    

11. Select Done.

    

    

Step 3: Configure Microsoft Defender for Endpoint settings

You can either use JAMF Pro GUI to edit individual settings of the Microsoft Defender for Endpoint configuration, or use the legacy method by creating a configuration Plist in a text editor, and uploading it to JAMF Pro.

Note that you must use exact com.microsoft.wdav as the Preference Domain, Microsoft Defender for Endpoint uses only this name and com.microsoft.wdav.ext to load its managed settings!

(The com.microsoft.wdav.ext version may be used in rare cases when you prefer to use GUI method, but also need to configure a setting that has not been added to the schema yet.)

GUI method

1. Download schema.json file from Defender’s GitHub repository and save it to a local file:
   BashCopy

   curl -o ~/Documents/schema.json https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/schema/schema.json
   

2. Create a new Configuration Profile under Computers -> Configuration Profiles, enter the following details on the General tab:

   

   • Name: MDATP MDAV configuration settings
   • Description:<blank>
   • Category: None (default)
   • Level: Computer Level (default)
   • Distribution Method: Install Automatically (default)
3. Scroll down to the Application & Custom Settings tab, select External Applications, click Add and use Custom Schema as Source to use for the preference domain.

   

4. Enter com.microsoft.wdav as the Preference Domain, click on Add Schema and Upload the schema.json file downloaded on Step 1. Click Save.

   

5. You can see all supported Microsoft Defender for Endpoint configuration settings below, under Preference Domain Properties. Click Add/Remove properties to select the settings that you want to be managed, and click Ok to save your changes. (Settings left unselected will not be included into the managed configuration, an end user will be able to configure those settings on their machines.)

   

6. Change values of the settings to desired values. You can click More information to get documentation for a particular setting. (You may click Plist preview to inspect what the configuration plist will look like. Click Form editor to return to the visual editor.)

   

7. Select the Scope tab.

   

8. Select Contoso’s Machine Group.
9. Select Add, then select Save.

   

   

10. Select Done. You’ll see the new Configuration profile.

    

Microsoft Defender for Endpoint adds new settings over time. These new settings will be added to the schema, and a new version will be published to Github. All you need to do to have updates is to download an updated schema, edit existing configuration profile, and Edit schema at the Application & Custom Settings tab.

Legacy method

1. Use the following Microsoft Defender for Endpoint configuration settings:
   • enableRealTimeProtection
   • passiveMode

    Note

   Not turned on by default, if you are planning to run a third-party AV for macOS, set it to true.

   • exclusions
   • excludedPath
   • excludedFileExtension
   • excludedFileName
   • exclusionsMergePolicy
   • allowedThreats

    Note

   EICAR is on the sample, if you are going through a proof-of-concept, remove it especially if you are testing EICAR.

   • disallowedThreatActions
   • potentially_unwanted_application
   • archive_bomb
   • cloudService
   • automaticSampleSubmission
   • tags
   • hideStatusMenuIcon

   For information, see Property list for JAMF full configuration profile.

   XMLCopy

   <?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
   <plist version="1.0">
   <dict>
       <key>antivirusEngine</key>
       <dict>
           <key>enableRealTimeProtection</key>
           <true/>
           <key>passiveMode</key>
           <false/>
           <key>exclusions</key>
           <array>
               <dict>
                   <key>$type</key>
                   <string>excludedPath</string>
                   <key>isDirectory</key>
                   <false/>
                   <key>path</key>
                   <string>/var/log/system.log</string>
               </dict>
               <dict>
                   <key>$type</key>
                   <string>excludedPath</string>
                   <key>isDirectory</key>
                   <true/>
                   <key>path</key>
                   <string>/home</string>
               </dict>
               <dict>
                   <key>$type</key>
                   <string>excludedFileExtension</string>
                   <key>extension</key>
                   <string>pdf</string>
               </dict>
               <dict>
                   <key>$type</key>
                   <string>excludedFileName</string>
                   <key>name</key>
                   <string>cat</string>
               </dict>
           </array>
           <key>exclusionsMergePolicy</key>
           <string>merge</string>
           <key>allowedThreats</key>
           <array>
               <string>EICAR-Test-File (not a virus)</string>
           </array>
           <key>disallowedThreatActions</key>
           <array>
               <string>allow</string>
               <string>restore</string>
           </array>
           <key>threatTypeSettings</key>
           <array>
               <dict>
                   <key>key</key>
                   <string>potentially_unwanted_application</string>
                   <key>value</key>
                   <string>block</string>
               </dict>
               <dict>
                   <key>key</key>
                   <string>archive_bomb</string>
                   <key>value</key>
                   <string>audit</string>
               </dict>
           </array>
           <key>threatTypeSettingsMergePolicy</key>
           <string>merge</string>
       </dict>
       <key>cloudService</key>
       <dict>
           <key>enabled</key>
           <true/>
           <key>diagnosticLevel</key>
           <string>optional</string>
           <key>automaticSampleSubmission</key>
           <true/>
       </dict>
       <key>edr</key>
       <dict>
           <key>tags</key>
           <array>
               <dict>
                   <key>key</key>
                   <string>GROUP</string>
                   <key>value</key>
                   <string>ExampleTag</string>
               </dict>
           </array>
       </dict>
       <key>userInterface</key>
       <dict>
           <key>hideStatusMenuIcon</key>
           <false/>
       </dict>
   </dict>
   </plist>
   

2. Save the file as MDATP_MDAV_configuration_settings.plist.
3. In the Jamf Pro dashboard, open Computers, and there Configuration Profiles. Click *New( and switch to the General tab.

   

4. Enter the following details:

   General

   • Name: MDATP MDAV configuration settings
   • Description:<blank>
   • Category: None (default)
   • Distribution Method: Install Automatically(default)
   • Level: Computer Level(default)

   

5. In Application & Custom Settings select Configure.

   

6. Select Upload File (PLIST file).

   

7. In Preferences Domain, enter com.microsoft.wdav, then select Upload PLIST File.

   

8. Select Choose File.

   

9. Select the MDATP_MDAV_configuration_settings.plist, then select Open.

   

10. Select Upload.

    

    

     Note

    If you happen to upload the Intune file, you’ll get the following error:

    

11. Select Save.

    

12. The file is uploaded.

    

    

13. Select the Scope tab.

    

14. Select Contoso’s Machine Group.
15. Select Add, then select Save.

    

    

16. Select Done. You’ll see the new Configuration profile.

    

Step 4: Configure notifications settings

These steps are applicable of macOS 10.15 (Catalina) or newer.

1. In the Jamf Pro dashboard, select Computers, then Configuration Profiles.
2. Click New, and enter the following details for Options:
   • Tab General:
     • Name: MDATP MDAV Notification settings
     • Description: macOS 10.15 (Catalina) or newer
     • Category: None (default)
     • Distribution Method: Install Automatically (default)
     • Level: Computer Level (default)

     

   • Tab Notifications, click Add, and enter the following values:
     • Bundle ID: com.microsoft.wdav.tray
     • Critical Alerts: Click Disable
     • Notifications: Click Enable
     • Banner alert type: Select Include and Temporary (default)
     • Notifications on lock screen: Click Hide
     • Notifications in Notification Center: Click Display
     • Badge app icon: Click Display

     

   • Tab Notifications, click Add one more time, scroll down to New Notifications Settings
     • Bundle ID: com.microsoft.autoupdate2
     • Configure the rest of the settings to the same values as above

     

     Note that now you have two ‘tables’ with notification configurations, one for Bundle ID: com.microsoft.wdav.tray, and another for Bundle ID: com.microsoft.autoupdate2. While you can configure alert settings per your requirements, Bundle IDs must be exactly the same as described before, and Include switch must be On for Notifications.

3. Select the Scope tab, then select Add.

   

4. Select Contoso’s Machine Group.
5. Select Add, then select Save.

   

   

6. Select Done. You’ll see the new Configuration profile.

   

Step 5: Configure Microsoft AutoUpdate (MAU)

1. Use the following Microsoft Defender for Endpoint configuration settings:
   XMLCopy

   <?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
   <plist version="1.0">
   <dict>
   <key>ChannelName</key>
   <string>Current</string>
   <key>HowToCheck</key>
   <string>AutomaticDownload</string>
   <key>EnableCheckForUpdatesButton</key>
   <true/>
   <key>DisableInsiderCheckbox</key>
   <false/>
   <key>SendAllTelemetryEnabled</key>
   <true/>
   </dict>
   </plist>
   

2. Save it as MDATP_MDAV_MAU_settings.plist.
3. In the Jamf Pro dashboard, select General.

   

4. Enter the following details:

   General

   • Name: MDATP MDAV MAU settings
   • Description: Microsoft AutoUpdate settings for MDATP for macOS
   • Category: None (default)
   • Distribution Method: Install Automatically(default)
   • Level: Computer Level(default)
5. In Application & Custom Settings select Configure.

   

6. Select Upload File (PLIST file).

   

7. In Preference Domain enter: com.microsoft.autoupdate2, then select Upload PLIST File.

   

8. Select Choose File.

   

9. Select MDATP_MDAV_MAU_settings.plist.

   

10. Select Upload. 

    

11. Select Save.

    

12. Select the Scope tab.

    

13. Select Add.

    

    

    

14. Select Done.

    

Step 6: Grant full disk access to Microsoft Defender for Endpoint

1. In the Jamf Pro dashboard, select Configuration Profiles.

   

2. Select + New.
3. Enter the following details:

   General

   • Name: MDATP MDAV – grant Full Disk Access to EDR and AV
   • Description: On macOS Catalina or newer, the new Privacy Preferences Policy Control
   • Category: None
   • Distribution method: Install Automatically
   • Level: Computer level

   

4. In Configure Privacy Preferences Policy Control select Configure.

   

5. In Privacy Preferences Policy Control, enter the following details:
   • Identifier: com.microsoft.wdav
   • Identifier Type: Bundle ID
   • Code Requirement: identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9

   

6. Select + Add.

   

   • Under App or service: Set to SystemPolicyAllFiles
   • Under “access”: Set to Allow
7. Select Save (not the one at the bottom right).

   

8. Click the + sign next to App Access to add a new entry.

   

9. Enter the following details:
   • Identifier: com.microsoft.wdav.epsext
   • Identifier Type: Bundle ID
   • Code Requirement: identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
10. Select + Add.

    

    • Under App or service: Set to SystemPolicyAllFiles
    • Under “access”: Set to Allow
11. Select Save (not the one at the bottom right).

    

12. Select the Scope tab.

    

13. Select + Add.

    

14. Select Computer Groups > under Group Name > select Contoso’s MachineGroup.

    

15. Select Add.
16. Select Save.
17. Select Done.

    

    

Alternatively, you can download fulldisk.mobileconfig and upload it to JAMF Configuration Profiles as described in Deploying Custom Configuration Profiles using Jamf Pro|Method 2: Upload a Configuration Profile to Jamf Pro.

Step 7: Approve Kernel extension for Microsoft Defender for Endpoint

1. In the Configuration Profiles, select + New.

   

2. Enter the following details:

   General

   • Name: MDATP MDAV Kernel Extension
   • Description: MDATP kernel extension (kext)
   • Category: None
   • Distribution Method: Install Automatically
   • Level: Computer Level

   

3. In Configure Approved Kernel Extensions select Configure.

   

4. In Approved Kernel Extensions Enter the following details:
   • Display Name: Microsoft Corp.
   • Team ID: UBF8T346G9

   

5. Select the Scope tab.

   

6. Select + Add.
7. Select Computer Groups > under Group Name > select Contoso’s Machine Group.
8. Select + Add.

   

9. Select Save.

   

10. Select Done.

    

Alternatively, you can download kext.mobileconfig and upload it to JAMF Configuration Profiles as described in Deploying Custom Configuration Profiles using Jamf Pro|Method 2: Upload a Configuration Profile to Jamf Pro.

Step 8: Approve System extensions for Microsoft Defender for Endpoint

1. In the Configuration Profiles, select + New.

   

2. Enter the following details:

   General

   • Name: MDATP MDAV System Extensions
   • Description: MDATP system extensions
   • Category: None
   • Distribution Method: Install Automatically
   • Level: Computer Level

   

3. In System Extensions select Configure.

   

4. In System Extensions enter the following details:
   • Display Name: Microsoft Corp. System Extensions
   • System Extension Types: Allowed System Extensions
   • Team Identifier: UBF8T346G9
   • Allowed System Extensions:
     • com.microsoft.wdav.epsext
     • com.microsoft.wdav.netext

   

5. Select the Scope tab.

   

6. Select + Add.
7. Select Computer Groups > under Group Name > select Contoso’s Machine Group.
8. Select + Add.

   

9. Select Save.

   

10. Select Done.

    

Step 9: Configure Network Extension

As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on macOS inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.

These steps are applicable of macOS 10.15 (Catalina) or newer.

1. In the Jamf Pro dashboard, select Computers, then Configuration Profiles.
2. Click New, and enter the following details for Options:
   • Tab General:
     • Name: Microsoft Defender ATP Network Extension
     • Description: macOS 10.15 (Catalina) or newer
     • Category: None (default)
     • Distribution Method: Install Automatically (default)
     • Level: Computer Level (default)
   • Tab Content Filter:
     • Filter Name: Microsoft Defender ATP Content Filter
     • Identifier: com.microsoft.wdav
     • Leave Service Address, Organization, User Name, Password, Certificate blank (Include is not selected)
     • Filter Order: Inspector
     • Socket Filter: com.microsoft.wdav.netext
     • Socket Filter Designated Requirement: identifier "com.microsoft.wdav.netext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
     • Leave Network Filter fields blank (Include is not selected)

     Note that Identifier, Socket Filter and Socket Filter Designated Requirement exact values as specified above.

     

3. Select the Scope tab.

   

4. Select + Add.
5. Select Computer Groups > under Group Name > select Contoso’s Machine Group.
6. Select + Add.

   

7. Select Save.

   

8. Select Done.

   

Alternatively, you can download netfilter.mobileconfig and upload it to JAMF Configuration Profiles as described in Deploying Custom Configuration Profiles using Jamf Pro|Method 2: Upload a Configuration Profile to Jamf Pro.

Step 10: Schedule scans with Microsoft Defender for Endpoint on macOS

Follow the instructions on Schedule scans with Microsoft Defender for Endpoint on macOS.

Step 11: Deploy Microsoft Defender for Endpoint on macOS

1. Navigate to where you saved wdav.pkg.

   

2. Rename it to wdav_MDM_Contoso_200329.pkg.

   

3. Open the Jamf Pro dashboard.

   

4. Select your computer and click the gear icon at the top, then select Computer Management.

   

5. In Packages, select + New. 
6. In New Package Enter the following details:

   General tab

   • Display Name: Leave it blank for now. Because it will be reset when you choose your pkg.
   • Category: None (default)
   • Filename: Choose File

   

   Open the file and point it to wdav.pkg or wdav_MDM_Contoso_200329.pkg.

   

7. Select Open. Set the Display Name to Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus.

   Manifest File is not required. Microsoft Defender for Endpoint works without Manifest File.

   Options tab: Keep default values.

   Limitations tab: Keep default values.

   

8. Select Save. The package is uploaded to Jamf Pro.

   

   It can take a few minutes for the package to be available for deployment.

   

9. Navigate to the Policies page.

   

10. Select + New to create a new policy.

    

11. In General Enter the following details:
    • Display name: MDATP Onboarding Contoso 200329 v100.86.92 or later

    

12. Select Recurring Check-in.

    

13. Select Save.
14. Select Packages > Configure.

    

15. Select the Add button next to Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus.

    

16. Select Save.

    

17. Select the Scope tab.

    

18. Select the target computers.

    

    Scope

    Select Add.

    

    

    Self-Service

    

19. Select Done.