Install and Manage Defender ATP on macOS

One of the best features of Defender ATP is its ability to work across all operating systems, including mobile. Over the next few weeks, we’re going to talk about installing and enabling it on several popular operating systems, starting today with macOS.

To complete this series, you will need an active Defender ATP subscription. You get that by having a Windows 10 Enterprise E5 or A5 license in your Azure AD. If you haven’t enabled Defender ATP in your tenant yet, it’s really easy. There is a guide avaiable here: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/production-deployment.

For macOS deployment, we’re going to use Intune. You will need a computer running macOS to complete this setup. You will need to have the Intune App Wrapping Tool for macOS installed. For assistance with downloading and installing this, see: https://docs.microsoft.com/en-us/intune/apps/lob-apps-macos#before-your-start.

Prepare the Installation Package

The first step for Intune deployment is to add the installation package to Intune. You must perform these steps from macOS.

1. Log in to the Microsoft Defender Security Center (https://securitycenter.microsoft.com)
2. Go to Settings, then under Machine management, select Onboarding
3. Change the operating system to “Linux, macOS, iOS, and Android”
4. Under section 1, change the deployment method to “Mobile Device Management / Microsoft Intune.”

5. Download both the installation package and onboarding package.
6. You will need to make sure the Intune App Wrapping Tool is in the same directory as the pkg file you just downloaded. Open Terminal and cd to this directory. Run this command: ./IntuneAppUtil.dms -c wdav.pkg -o . -i “com.microsoft.wdav” -n “1.0.0”

A file with the extension .intunemac will be created in the same directory.

Create the Application in Intune

Now we need to add the package we just created to Intune.

1. From the Intune portal, select Client Apps, then Apps.
2. Click the “+ Add” button

3. Scroll down and click “Line-of-business app”, then click the Select button.
4. On screen 1, click “Select app package file”, then the browse button. Find the Intune package you created.
5. On the App Information screen, fill in the details for the app. The minimum operating system version should be set to High Sierra (10.13). You should also set “Ignore App Version” to Yes. After you have configured your desired settings, click Next.

6. Apply any scope tags that you want and click Next.
7. You should skip the Assignments screen for now. We still need to create the management profiles.
8. Finally, click Create. Your app will be created and the package file uploaded.

Create Management Profiles

Now that we have the package created, we need to create the management profiles to configure and manage Defender ATP. This section can be performed from a Windows or macOS computer, you just need the onboarding package downloaded from the Defender ATP portal.

1. From the Intune portal, select Device Configuration, then Profiles.
2. Create a new profile by clicking “+ Create Profile”.
3. Give the profile a name. We’re going to do the kext file first, which is the tenant enrollment, so I would name the profile something like “Defender ATP – Mac Tenant Enrollment”.
4. Select the platform as macOS.
5. Set the profile type to Custom.

Click settings, name the profile, and browse to the kext file.

7. Click Ok, then Create.
8. Repeat this process for the WindowsDefenderATPOnboarding.xml file. I would suggest a name of “Defender ATP- Mac Onboarding” for this profile.

These two profiles will configure Defender ATP to talk to your tenant, so at a minimum you must have these two assigned to your devices. Create the assignments for these two devices from the Intune portal.

There’s two more profiles you should have though. The first one (TCC.xml) is to ensure that Defender ATP has full disk access. This is required for full disk protection on macOS 10.15. The second profile enables Microsoft Auto-Update. This will keep the Defender ATP agent itself up-to-date.

To create the TCC profile, follow these steps:

1. Go to https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune#create-system-configuration-profiles and scroll to Step 8.
2. Copy the XML file that is part of Step 8 to a XML file on your computer.
3. Follow the steps from above for creating a new profile. I would name this profile “Defender ATP – Mac TCC”.

To create the auto-update profile, follow these steps:

1. Go to https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune#create-system-configuration-profiles and scroll to Step 9.
2. Copy the XML file that is part of Step 9 to a XML file on your computer.
3. Follow the steps from above for creating a new profile. I would name this profile “Defender ATP – Mac Auto-Update”.

After creating these two additional profiles, you should have four. Make sure they are all properly assigned to your devices.

Now that the profiles are built, you can do back and assign the application to devices. Once that is complete, Defender ATP will start rolling out.

Disclaimer
All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.