deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #3260 from MicrosoftDocs/user/tudobril/mac-sysext-cont

Browse Source 
Updates to system extensions policies
This commit is contained in:
Tina Burden 2020-07-09 09:48:21 -07:00 committed by GitHub
commit 4e100613f8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 32 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-intune2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 82 KiB

65
windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md
View File

@ -15,6 +15,7 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
ROBOTS: noindex,nofollow
--- ---
# New configuration profiles for macOS Catalina and newer versions of macOS # New configuration profiles for macOS Catalina and newer versions of macOS
@ -55,7 +56,7 @@ Add the following JAMF payload to grant Full Disk Access to the Microsoft Defend
A web content filtering policy is needed to run the network extension. Add the following web content filtering policy: A web content filtering policy is needed to run the network extension. Add the following web content filtering policy:
>[!NOTE] >[!NOTE]
>Note: JAMF doesnt have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed. >JAMF doesnt have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed.
>As such, the following steps provide a workaround that involve signing the web content filtering configuration profile. >As such, the following steps provide a workaround that involve signing the web content filtering configuration profile.
1. Save the following content to your device as `com.apple.webcontent-filter.mobileconfig` 1. Save the following content to your device as `com.apple.webcontent-filter.mobileconfig`
@ -140,7 +141,28 @@ A web content filtering policy is needed to run the network extension. Add the f
## Intune ## Intune
### Create the Custom Configuration Profile ### System Extensions Policy
To approve the system extensions:
1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Extensions**. Select **Create**.
3. In the `Basics` tab, give a name to this new profile.
4. In the `Configuration settings` tab, add the following entries in the `Allowed system extensions` section:
Bundle identifier | Team identifier
--------------------------|----------------
com.microsoft.wdav.epsext | UBF8T346G9
com.microsoft.wdav.netext | UBF8T346G9
![System configuration profiles screenshot](images/mac-system-extension-intune2.png)
5. In the `Assignments` tab, assign this profile to **All Users & All devices**.
6. Review and create this configuration profile.
### Create and deploy the Custom Configuration Profile
The following configuration profile enables the web content filter and grants Full Disk Access to the Endpoint Security system extension.
Save the following content to a file named **sysext.xml**: Save the following content to a file named **sysext.xml**:
@ -236,46 +258,23 @@ Save the following content to a file named **sysext.xml**:
</array> </array>
</dict> </dict>
</dict> </dict>
<dict>
<key>PayloadUUID</key>
<string>E6F96207-631F-462C-994A-37A6AD7BDED8</string>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadOrganization</key>
<string>Microsoft Corporation</string>
<key>PayloadIdentifier</key>
<string>E6F96207-631F-462C-994A-37A6AD7BDED8</string>
<key>PayloadDisplayName</key>
<string>System Extensions</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>AllowUserOverrides</key>
<true/>
<key>AllowedSystemExtensions</key>
<dict>
<key>UBF8T346G9</key>
<array>
<string>com.microsoft.wdav.epsext</string>
<string>com.microsoft.wdav.netext</string>
</array>
</dict>
</dict>
</array> </array>
</dict> </dict>
</plist> </plist>
``` ```
### Deploy the Custom Configuration Profile Verify that the above file was copied correctly. From the Terminal, run the following command and verify that it outputs `OK`:
To configure the system extensions in Intune: ```bash
$ plutil -lint sysext.xml
sysext.xml: OK
```
To deploy this custom configuration profile:
1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create profile**. 1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create profile**.
2. Choose a name for the profile. Change **Platform=macOS** and **Profile type=Custom**. Select **Configure**. 2. Choose a name for the profile. Change **Platform=macOS** and **Profile type=Custom**. Select **Configure**.
3. Open the configuration profile and upload sysext.xml. This file was created in the preceding step. 3. Open the configuration profile and upload **sysext.xml**. This file was created in the preceding step.
4. Select **OK**. 4. Select **OK**.
![System extension in Intune screenshot](images/mac-system-extension-intune.png) ![System extension in Intune screenshot](images/mac-system-extension-intune.png)