Install and Manage Defender ATP on macOS

One of the best features of Defender ATP is its ability to work across all operating systems, including mobile. Over the next few weeks, we’re going to talk about installing and enabling it on several popular operating systems, starting today with macOS.

To complete this series, you will need an active Defender ATP subscription. You get that by having a Windows 10 Enterprise E5 or A5 license in your Azure AD. If you haven’t enabled Defender ATP in your tenant yet, it’s really easy. There is a guide avaiable here: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/production-deployment.

For macOS deployment, we’re going to use Intune. You will need a computer running macOS to complete this setup. You will need to have the Intune App Wrapping Tool for macOS installed. For assistance with downloading and installing this, see: https://docs.microsoft.com/en-us/intune/apps/lob-apps-macos#before-your-start.

Prepare the Installation Package

The first step for Intune deployment is to add the installation package to Intune. You must perform these steps from macOS.

  1. Log in to the Microsoft Defender Security Center (https://securitycenter.microsoft.com)
  2. Go to Settings, then under Machine management, select Onboarding
  3. Change the operating system to “Linux, macOS, iOS, and Android”
  4. Under section 1, change the deployment method to “Mobile Device Management / Microsoft Intune.”
  1. Download both the installation package and onboarding package.
  2. You will need to make sure the Intune App Wrapping Tool is in the same directory as the pkg file you just downloaded. Open Terminal and cd to this directory. Run this command: ./IntuneAppUtil.dms -c wdav.pkg -o . -i “com.microsoft.wdav” -n “1.0.0”

A file with the extension .intunemac will be created in the same directory.

Create the Application in Intune

Now we need to add the package we just created to Intune.

  1. From the Intune portal, select Client Apps, then Apps.
  2. Click the “+ Add” button
  1. Scroll down and click “Line-of-business app”, then click the Select button.
  2. On screen 1, click “Select app package file”, then the browse button. Find the Intune package you created.
  3. On the App Information screen, fill in the details for the app. The minimum operating system version should be set to High Sierra (10.13). You should also set “Ignore App Version” to Yes. After you have configured your desired settings, click Next.
  1. Apply any scope tags that you want and click Next.
  2. You should skip the Assignments screen for now. We still need to create the management profiles.
  3. Finally, click Create. Your app will be created and the package file uploaded.

Create Management Profiles

Now that we have the package created, we need to create the management profiles to configure and manage Defender ATP. This section can be performed from a Windows or macOS computer, you just need the onboarding package downloaded from the Defender ATP portal.

  1. From the Intune portal, select Device Configuration, then Profiles.
  2. Create a new profile by clicking “+ Create Profile”.
  3. Give the profile a name. We’re going to do the kext file first, which is the tenant enrollment, so I would name the profile something like “Defender ATP – Mac Tenant Enrollment”.
  4. Select the platform as macOS.
  5. Set the profile type to Custom.

Click settings, name the profile, and browse to the kext file.

  1. Click Ok, then Create.
  2. Repeat this process for the WindowsDefenderATPOnboarding.xml file. I would suggest a name of “Defender ATP- Mac Onboarding” for this profile.

These two profiles will configure Defender ATP to talk to your tenant, so at a minimum you must have these two assigned to your devices. Create the assignments for these two devices from the Intune portal.

There’s two more profiles you should have though. The first one (TCC.xml) is to ensure that Defender ATP has full disk access. This is required for full disk protection on macOS 10.15. The second profile enables Microsoft Auto-Update. This will keep the Defender ATP agent itself up-to-date.

To create the TCC profile, follow these steps:

  1. Go to https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune#create-system-configuration-profiles and scroll to Step 8.
  2. Copy the XML file that is part of Step 8 to a XML file on your computer.
  3. Follow the steps from above for creating a new profile. I would name this profile “Defender ATP – Mac TCC”.

To create the auto-update profile, follow these steps:

  1. Go to https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune#create-system-configuration-profiles and scroll to Step 9.
  2. Copy the XML file that is part of Step 9 to a XML file on your computer.
  3. Follow the steps from above for creating a new profile. I would name this profile “Defender ATP – Mac Auto-Update”.

After creating these two additional profiles, you should have four. Make sure they are all properly assigned to your devices.

Now that the profiles are built, you can do back and assign the application to devices. Once that is complete, Defender ATP will start rolling out.

Disclaimer
All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.

Share:

Facebook
Twitter
LinkedIn

Contact Us

=
On Key

More Posts

WME Security Briefing 27 May 2024

Kinsing Hacker Group Exploits Docker Vulnerabilities Overview Recent investigations have shown that the hacker group Kinsing is actively exploiting Docker vulnerabilities to gain unauthorized access to systems. The modified hacker group targets misconfigured Docker API ports deployed with cryptocurrency mining malware.

Read More »
WME Cybersecurity Briefings No. 010
Cyber Security

WME Security Briefing 20 May 2024

Advanced Persistent Threats: North Korean Hackers Launch Golang Malware Overview A new malware strain, called Titan Stealer, is currently actively circulating in the threat landscape, targeting a variety of personal data and linked to North Korean state-sponsored cyber espionage

Read More »
WME Cybersecurity Briefings No. 009
Cyber Security

WME Security Briefing 08 May 2024

Exploitable vulnerability in Microsoft Internet Explorer, used to deploy VBA Malware Overview Cybersecurity researchers discovered a severe exploitation targeting a bug that had already been patched in the Microsoft Internet Explorer browser. Their report added that

Read More »
WME Cybersecurity Briefings No. 008
Cyber Security

WME Security Briefing 03 May 2024

Security Bulletin: MITRE Corporation Targeted by Nation-State Cyber Attack Overview The MITRE Corporation, a prominent security and cybersecurity researcher in the USA, has fallen prey to compromise in its environment because of a sophisticated cyberattack from

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=