diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md index 5408508e47..d8b5e85940 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md @@ -29,104 +29,104 @@ Endpoint detection and response capabilities in Microsoft Defender ATP for Mac a ## Enable the Insider program with Jamf -a. Create configuration profile com.microsoft.wdav.plist with the following content: +1. Create configuration profile com.microsoft.wdav.plist with the following content: -```XML - - - - - edr - - earlyPreview - - - - -``` + ```XML + + + + + edr + + earlyPreview + + + + + ``` -b. From the JAMF console, navigate to  **Computers > Configuration Profiles**, navigate to the configuration profile you'd like to use, then select  **Custom Settings**. +1. From the JAMF console, navigate to  **Computers > Configuration Profiles**, navigate to the configuration profile you'd like to use, then select  **Custom Settings**. -c. Create an entry with com.microsoft.wdav as the preference domain and upload the .plist created earlier. +1. Create an entry with com.microsoft.wdav as the preference domain and upload the .plist created earlier. ->[!WARNING] ->You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product + > [!WARNING] + > You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product ## Enable the Insider program with Intune -a. Create configuration profile com.microsoft.wdav.plist with the following content: +1. Create configuration profile com.microsoft.wdav.plist with the following content: - ```XML - - - - - PayloadUUID - C4E6A782-0C8D-44AB-A025-EB893987A295 - PayloadType - Configuration - PayloadOrganization - Microsoft - PayloadIdentifier - com.microsoft.wdav - PayloadDisplayName - Microsoft Defender ATP settings - PayloadDescription - Microsoft Defender ATP configuration settings - PayloadVersion - 1 - PayloadEnabled - - PayloadRemovalDisallowed - - PayloadScope - System - PayloadContent - - - PayloadUUID - 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295 - PayloadType - com.microsoft.wdav - PayloadOrganization - Microsoft - PayloadIdentifier - com.microsoft.wdav - PayloadDisplayName - Microsoft Defender ATP configuration settings - PayloadDescription - - PayloadVersion - 1 - PayloadEnabled - - edr - - earlyPreview - - - - - - -``` + ```XML + + + + + PayloadUUID + C4E6A782-0C8D-44AB-A025-EB893987A295 + PayloadType + Configuration + PayloadOrganization + Microsoft + PayloadIdentifier + com.microsoft.wdav + PayloadDisplayName + Microsoft Defender ATP settings + PayloadDescription + Microsoft Defender ATP configuration settings + PayloadVersion + 1 + PayloadEnabled + + PayloadRemovalDisallowed + + PayloadScope + System + PayloadContent + + + PayloadUUID + 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295 + PayloadType + com.microsoft.wdav + PayloadOrganization + Microsoft + PayloadIdentifier + com.microsoft.wdav + PayloadDisplayName + Microsoft Defender ATP configuration settings + PayloadDescription + + PayloadVersion + 1 + PayloadEnabled + + edr + + earlyPreview + + + + + + + ``` -b. Open  **Manage > Device configuration**. Select  **Manage > Profiles > Create Profile**. +1. Open  **Manage > Device configuration**. Select  **Manage > Profiles > Create Profile**. -c. Choose a name for the profile. Change  **Platform=macOS**  to  **Profile type=Custom**. Select  **Configure**. +1. Choose a name for the profile. Change  **Platform=macOS**  to  **Profile type=Custom**. Select  **Configure**. -d. Save the .plist created earlier as com.microsoft.wdav.xml. +1. Save the .plist created earlier as com.microsoft.wdav.xml. -e. Enter com.microsoft.wdav as the custom configuration profile name. +1. Enter com.microsoft.wdav as the custom configuration profile name. -f. Open the configuration profile and upload com.microsoft.wdav.xml. This file was created in step 1. +1. Open the configuration profile and upload com.microsoft.wdav.xml. This file was created in step 1. -g. Select  **OK**. +1. Select  **OK**. -h. Select  **Manage > Assignments**. In the  **Include**  tab, select  **Assign to All Users & All devices**. +1. Select  **Manage > Assignments**. In the  **Include**  tab, select  **Assign to All Users & All devices**. ->[!WARNING] ->You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product. + > [!WARNING] + > You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product. ## Enable the Insider program manually on a single device @@ -134,7 +134,7 @@ In terminal, run: ```bash mdatp --edr --early-preview true - ``` +``` For versions earlier than 100.78.0, run: @@ -161,4 +161,4 @@ After a successful deployment and onboarding of the correct version, check that * Check that you enabled the early preview flag. In terminal run “mdatp –health” and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”. -If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment). +If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation-macos-1015-and-older-versions) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment). diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-1.png b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-1.png new file mode 100644 index 0000000000..a6ff679378 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-1.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-2.png new file mode 100644 index 0000000000..d3e8d67250 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-3.png b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-3.png new file mode 100644 index 0000000000..0d7aac7dce Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-3.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-4.png b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-4.png new file mode 100644 index 0000000000..ad17cf144e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-4.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-5.png b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-5.png new file mode 100644 index 0000000000..576472cd8c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-5.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/netext-choose-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/netext-choose-file.png new file mode 100644 index 0000000000..9fee8307d9 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/netext-choose-file.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/netext-create-profile.png b/windows/security/threat-protection/microsoft-defender-atp/images/netext-create-profile.png new file mode 100644 index 0000000000..dfe09495a2 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/netext-create-profile.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/netext-final.png b/windows/security/threat-protection/microsoft-defender-atp/images/netext-final.png new file mode 100644 index 0000000000..5529575cbe Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/netext-final.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/netext-profile-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/netext-profile-page.png new file mode 100644 index 0000000000..80e4d3cc67 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/netext-profile-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/netext-scope.png b/windows/security/threat-protection/microsoft-defender-atp/images/netext-scope.png new file mode 100644 index 0000000000..ccd19095f5 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/netext-scope.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/netext-upload-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/netext-upload-file.png new file mode 100644 index 0000000000..1257677bec Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/netext-upload-file.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/netext-upload-file2.png b/windows/security/threat-protection/microsoft-defender-atp/images/netext-upload-file2.png new file mode 100644 index 0000000000..b2d8d02a63 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/netext-upload-file2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sysext-configure.png b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-configure.png new file mode 100644 index 0000000000..a8777a1764 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-configure.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sysext-configure2.png b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-configure2.png new file mode 100644 index 0000000000..43bc82f7c6 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-configure2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sysext-final.png b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-final.png new file mode 100644 index 0000000000..c2aa50f3c4 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-final.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sysext-new-profile.png b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-new-profile.png new file mode 100644 index 0000000000..9912030cb6 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-new-profile.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sysext-scope.png b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-scope.png new file mode 100644 index 0000000000..5d9401ae38 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-scope.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tcc-add-entry.png b/windows/security/threat-protection/microsoft-defender-atp/images/tcc-add-entry.png new file mode 100644 index 0000000000..3c2c23b1f4 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tcc-add-entry.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tcc-epsext-entry.png b/windows/security/threat-protection/microsoft-defender-atp/images/tcc-epsext-entry.png new file mode 100644 index 0000000000..4e69457dcb Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tcc-epsext-entry.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tcc-epsext-entry2.png b/windows/security/threat-protection/microsoft-defender-atp/images/tcc-epsext-entry2.png new file mode 100644 index 0000000000..54330f800e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tcc-epsext-entry2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md index daea53aa5e..db852ca545 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md @@ -28,7 +28,8 @@ ms.topic: conceptual This topic describes how to deploy Microsoft Defender ATP for macOS manually. A successful deployment requires the completion of all of the following steps: - [Download installation and onboarding packages](#download-installation-and-onboarding-packages) -- [Application installation](#application-installation) +- [Application installation (macOS 10.15 and older versions)](#application-installation-macos-1015-and-older-versions) +- [Application installation (macOS 11 and newer versions)](#application-installation-macos-11-and-newer-versions) - [Client configuration](#client-configuration) ## Prerequisites and system requirements @@ -48,7 +49,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi 5. From a command prompt, verify that you have the two files. -## Application installation +## Application installation (macOS 10.15 and older versions) To complete this process, you must have admin privileges on the device. @@ -65,7 +66,7 @@ To complete this process, you must have admin privileges on the device. ![App install screenshot](../microsoft-defender-antivirus/images/MDATP-30-SystemExtension.png) -3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: +3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: ![Security and privacy window screenshot](../microsoft-defender-antivirus/images/MDATP-31-SecurityPrivacySettings.png) @@ -77,6 +78,34 @@ To complete this process, you must have admin privileges on the device. > [!NOTE] > macOS may request to reboot the device upon the first installation of Microsoft Defender. Real-time protection will not be available until the device is rebooted. +## Application installation (macOS 11 and newer versions) + +To complete this process, you must have admin privileges on the device. + +1. Navigate to the downloaded wdav.pkg in Finder and open it. + + ![App install screenshot](images/big-sur-install-1.png) + +2. Select **Continue**, agree with the License terms, and enter the password when prompted. + +3. At the end of the installation process, you will be promoted to approve the system extensions used by the product. Select **Open Security Preferences**. + + ![System extension approval](images/big-sur-install-2.png) + +4. From the **Security & Privacy** window, select **Allow**. + + ![System extension security preferences](images/big-sur-install-3.png) + +5. Repeat steps 3 & 4 for all system extensions distributed with Microsoft Defender ATP for Mac. + +6. As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. When prompted to grant Microsoft Defender ATP permissions to filter network traffic, select **Allow**. + + ![System extension security preferences](images/big-sur-install-4.png) + +7. Open **System Preferences** > **Security & Privacy** and navigate to the **Privacy** tab. Grant **Full Disk Access** permission to **Microsoft Defender ATP** and **Microsoft Defender ATP Endpoint Security Extension**. + + ![Full disk access](images/big-sur-install-5.png) + ## Client configuration 1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the device where you deploy Microsoft Defender ATP for macOS. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md index 17f2c90546..d7a00dd754 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md @@ -34,6 +34,7 @@ This topic describes how to deploy Microsoft Defender ATP for Mac through Intune 1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages) 1. [Client device setup](#client-device-setup) +1. [Approve system extensions](#approve-system-extensions) 1. [Create System Configuration profiles](#create-system-configuration-profiles) 1. [Publish application](#publish-application) @@ -48,24 +49,30 @@ The following table summarizes the steps you would need to take to deploy and ma | Step | Sample file names | BundleIdentifier | |-|-|-| | [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp | +| [Approve System Extension for Microsoft Defender ATP](#approve-system-extensions) | MDATP_SysExt.xml | N/A | | [Approve Kernel Extension for Microsoft Defender ATP](#download-installation-and-onboarding-packages) | MDATP_KExt.xml | N/A | | [Grant full disk access to Microsoft Defender ATP](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc | +| [Network Extension policy](#create-system-configuration-profiles-step-9) | MDATP_NetExt.xml | N/A | | [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 | | [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)

**Note:** If you are planning to run a third party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav | -| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-9) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray | +| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-10) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray | ## Download installation and onboarding packages Download the installation and onboarding packages from Microsoft Defender Security Center: 1. In Microsoft Defender Security Center, go to **Settings** > **Device Management** > **Onboarding**. + 2. Set the operating system to **macOS** and the deployment method to **Mobile Device Management / Microsoft Intune**. ![Onboarding settings screenshot](images/atp-mac-install.png) 3. Select **Download installation package**. Save it as _wdav.pkg_ to a local directory. + 4. Select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. + 5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos). + 6. From a command prompt, verify that you have the three files. @@ -130,228 +137,116 @@ You do not need any special provisioning for a Mac device beyond a standard [Com 2. Select **Continue** and complete the enrollment. -You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages. + You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages. 3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed: -![Add Devices screenshot](../microsoft-defender-antivirus/images/MDATP-5-allDevices.png) + > [!div class="mx-imgBorder"] + > ![Add Devices screenshot](../microsoft-defender-antivirus/images/MDATP-5-allDevices.png) + +## Approve System Extensions + +To approve the system extensions: + +1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**. + +2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Extensions**. Select **Create**. + +3. In the `Basics` tab, give a name to this new profile. + +4. In the `Configuration settings` tab, add the following entries in the `Allowed system extensions` section: + + Bundle identifier | Team identifier + --------------------------|---------------- + com.microsoft.wdav.epsext | UBF8T346G9 + com.microsoft.wdav.netext | UBF8T346G9 + + > [!div class="mx-imgBorder"] + > ![System configuration profiles screenshot](images/mac-system-extension-intune2.png) + +5. In the `Assignments` tab, assign this profile to **All Users & All devices**. + +6. Review and create this configuration profile. ## Create System Configuration profiles 1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**. + 2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**. + 3. Open the configuration profile and upload intune/kext.xml. This file was created in one of the preceding sections. + 4. Select **OK**. ![System configuration profiles screenshot](../microsoft-defender-antivirus/images/MDATP-6-SystemConfigurationProfiles.png) 5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. + 6. Repeat steps 1 through 5 for more profiles. + 7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file. -8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it. + +8. Download `fulldisk.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) and save it as `tcc.xml`. Create another profile, give it any name and upload this file to it. > [!CAUTION] > macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device. > - > The following configuration profile grants Full Disk Access to Microsoft Defender ATP. If you previously configured Microsoft Defender ATP through Intune, we recommend you update the deployment with this configuration profile. + > This configuration profile grants Full Disk Access to Microsoft Defender ATP. If you previously configured Microsoft Defender ATP through Intune, we recommend you update the deployment with this configuration profile. - ```xml - - - - - PayloadDescription - Allows Microsoft Defender to access all files on Catalina+ - PayloadDisplayName - TCC - Microsoft Defender - PayloadIdentifier - com.microsoft.wdav.tcc - PayloadOrganization - Microsoft Corp. - PayloadRemovalDisallowed - - PayloadScope - system - PayloadType - Configuration - PayloadUUID - C234DF2E-DFF6-11E9-B279-001C4299FB44 - PayloadVersion - 1 - PayloadContent - - - PayloadDescription - Allows Microsoft Defender to access all files on Catalina+ - PayloadDisplayName - TCC - Microsoft Defender - PayloadIdentifier - com.microsoft.wdav.tcc.C233A5E6-DFF6-11E9-BDAD-001C4299FB44 - PayloadOrganization - Microsoft Corp. - PayloadType - com.apple.TCC.configuration-profile-policy - PayloadUUID - C233A5E6-DFF6-11E9-BDAD-001C4299FB44 - PayloadVersion - 1 - Services - - SystemPolicyAllFiles - - - Allowed - - CodeRequirement - identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9 - Comment - Allow SystemPolicyAllFiles control for Microsoft Defender ATP - Identifier - com.microsoft.wdav - IdentifierType - bundleID - - - - - - - - ``` +9. As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality. Download `netfilter.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig), save it as netext.xml and deploy it using the same steps as in the previous sections. -9. To allow Defender and Auto Update to display notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload: +10. To allow Defender and Auto Update to display notifications in UI on macOS 10.15 (Catalina), download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig) and import it as a custom payload. - ```xml - - - - - PayloadContent - - - NotificationSettings - - - AlertType - 2 - BadgesEnabled - - BundleIdentifier - com.microsoft.autoupdate2 - CriticalAlertEnabled - - GroupingType - 0 - NotificationsEnabled - - ShowInLockScreen - - ShowInNotificationCenter - - SoundsEnabled - - - - AlertType - 2 - BadgesEnabled - - BundleIdentifier - com.microsoft.wdav.tray - CriticalAlertEnabled - - GroupingType - 0 - NotificationsEnabled - - ShowInLockScreen - - ShowInNotificationCenter - - SoundsEnabled - - - - PayloadDescription - - PayloadDisplayName - notifications - PayloadEnabled - - PayloadIdentifier - BB977315-E4CB-4915-90C7-8334C75A7C64 - PayloadOrganization - Microsoft - PayloadType - com.apple.notificationsettings - PayloadUUID - BB977315-E4CB-4915-90C7-8334C75A7C64 - PayloadVersion - 1 - - - PayloadDescription - - PayloadDisplayName - mdatp - allow notifications - PayloadEnabled - - PayloadIdentifier - 85F6805B-0106-4D23-9101-7F1DFD5EA6D6 - PayloadOrganization - Microsoft - PayloadRemovalDisallowed - - PayloadScope - System - PayloadType - Configuration - PayloadUUID - 85F6805B-0106-4D23-9101-7F1DFD5EA6D6 - PayloadVersion - 1 - - - ``` - -10. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. +11. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**: -![System configuration profiles screenshot](../microsoft-defender-antivirus/images/MDATP-7-DeviceStatusBlade.png) +> [!div class="mx-imgBorder"] +> ![System configuration profiles screenshot](../microsoft-defender-antivirus/images/MDATP-7-DeviceStatusBlade.png) ## Publish application 1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. + 2. Select **App type=Other/Line-of-business app**. + 3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. + 4. Select **Configure** and add the required information. + 5. Use **macOS High Sierra 10.13** as the minimum OS. + 6. Set *Ignore app version* to **Yes**. Other settings can be any arbitrary value. > [!CAUTION] > Setting *Ignore app version* to **No** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. > > If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client device, then uninstall Defender and push the updated policy. - - ![Device status blade screenshot](../microsoft-defender-antivirus/images/MDATP-8-IntuneAppInfo.png) + + > [!div class="mx-imgBorder"] + > ![Device status blade screenshot](../microsoft-defender-antivirus/images/MDATP-8-IntuneAppInfo.png) 7. Select **OK** and **Add**. - ![Device status blade screenshot](../microsoft-defender-antivirus/images/MDATP-9-IntunePkgInfo.png) + > [!div class="mx-imgBorder"] + > ![Device status blade screenshot](../microsoft-defender-antivirus/images/MDATP-9-IntunePkgInfo.png) 8. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**. - ![Client apps screenshot](../microsoft-defender-antivirus/images/MDATP-10-ClientApps.png) + > [!div class="mx-imgBorder"] + > ![Client apps screenshot](../microsoft-defender-antivirus/images/MDATP-10-ClientApps.png) 9. Change **Assignment type** to **Required**. + 10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. - ![Intune assignments info screenshot](../microsoft-defender-antivirus/images/MDATP-11-Assignments.png) + > [!div class="mx-imgBorder"] + > ![Intune assignments info screenshot](../microsoft-defender-antivirus/images/MDATP-11-Assignments.png) 11. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**: - ![Intune device status screenshot](../microsoft-defender-antivirus/images/MDATP-12-DeviceInstall.png) + > [!div class="mx-imgBorder"] + > ![Intune device status screenshot](../microsoft-defender-antivirus/images/MDATP-12-DeviceInstall.png) ## Verify client device state @@ -365,7 +260,8 @@ Once the Intune changes are propagated to the enrolled devices, you can see them 3. You should also see the Microsoft Defender icon in the top-right corner: - ![Microsoft Defender icon in status bar screenshot](../microsoft-defender-antivirus/images/MDATP-Icon-Bar.png) + > [!div class="mx-imgBorder"] + > ![Microsoft Defender icon in status bar screenshot](../microsoft-defender-antivirus/images/MDATP-Icon-Bar.png) ## Troubleshooting diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md index 39ec2b13b7..1f4d373697 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md @@ -48,7 +48,7 @@ Most modern MDM solutions include these features, however, they may call them di You can deploy Defender without the last requirement from the preceding list, however: - You will not be able to collect status in a centralized way -- If you decide to uninstall Defender, you will need to logon to the client device locally as an administrator +- If you decide to uninstall Defender, you will need to log on to the client device locally as an administrator ## Deployment @@ -70,13 +70,44 @@ Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be ext Your system may support an arbitrary property list in XML format. You can upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case. Alternatively, it may require you to convert the property list to a different format first. -Typically, your custom profile has an id, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp" for this value. +Typically, your custom profile has an ID, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp" for this value. MDM uses it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client device, and Defender uses this file for loading the onboarding information. ### Kernel extension policy Set up a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to allow kernel extensions provided by Microsoft. +### System extension policy + +Set up a system extension policy. Use team identifier **UBF8T346G9** and approve the following bundle identifiers: + +- com.microsoft.wdav.epsext +- com.microsoft.wdav.netext + +### Full disk access policy + +Grant Full Disk Access to the following components: + +- Microsoft Defender ATP + - Identifier: `com.microsoft.wdav` + - Identifier Type: Bundle ID + - Code Requirement: identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate leaf[subject.OU] = UBF8T346G9 + +- Microsoft Defender ATP Endpoint Security Extension + - Identifier: `com.microsoft.wdav.epsext` + - Identifier Type: Bundle ID + - Code Requirement: identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9 + +### Network extension policy + +As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality. + +- Filter type: Plugin +- Plugin bundle identifier: `com.microsoft.wdav` +- Filter data provider bundle identifier: `com.microsoft.wdav.netext` +- Filter data provider designated requirement: identifier "com.microsoft.wdav.netext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9 +- Filter sockets: `true` + ## Check installation status Run [mdatp](mac-install-with-jamf.md) on a client device to check the onboarding status. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md index 19be21f34f..10411a985d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md @@ -44,9 +44,13 @@ You'll need to take the following steps: 7. [Approve Kernel extension for Microsoft Defender ATP](#step-7-approve-kernel-extension-for-microsoft-defender-atp) -8. [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp) +8. [Approve System extensions for Microsoft Defender ATP](#step-8-approve-system-extensions-for-microsoft-defender-atp) -9. [Deploy Microsoft Defender ATP for macOS](#step-9-deploy-microsoft-defender-atp-for-macos) +9. [Configure Network Extension](#step-9-configure-network-extension) + +10. [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp) + +11. [Deploy Microsoft Defender ATP for macOS](#step-11-deploy-microsoft-defender-atp-for-macos) ## Step 1: Get the Microsoft Defender ATP onboarding package @@ -155,106 +159,106 @@ You'll need to take the following steps: For information, see [Property list for Jamf configuration profile](mac-preferences.md#property-list-for-jamf-configuration-profile). -```XML - - - - - antivirusEngine - - enableRealTimeProtection - - passiveMode - - exclusions - - - $type - excludedPath - isDirectory - - path - /var/log/system.log - - - $type - excludedPath - isDirectory - - path - /home - - - $type - excludedFileExtension - extension - pdf - - - $type - excludedFileName - name - cat - - - exclusionsMergePolicy - merge - allowedThreats - - EICAR-Test-File (not a virus) - - disallowedThreatActions - - allow - restore - - threatTypeSettings - - - key - potentially_unwanted_application - value - block - - - key - archive_bomb - value - audit - - - threatTypeSettingsMergePolicy - merge - - cloudService - - enabled - - diagnosticLevel - optional - automaticSampleSubmission - - - edr - - tags - - - key - GROUP - value - ExampleTag - - - - userInterface - - hideStatusMenuIcon - - - - -``` + ```XML + + + + + antivirusEngine + + enableRealTimeProtection + + passiveMode + + exclusions + + + $type + excludedPath + isDirectory + + path + /var/log/system.log + + + $type + excludedPath + isDirectory + + path + /home + + + $type + excludedFileExtension + extension + pdf + + + $type + excludedFileName + name + cat + + + exclusionsMergePolicy + merge + allowedThreats + + EICAR-Test-File (not a virus) + + disallowedThreatActions + + allow + restore + + threatTypeSettings + + + key + potentially_unwanted_application + value + block + + + key + archive_bomb + value + audit + + + threatTypeSettingsMergePolicy + merge + + cloudService + + enabled + + diagnosticLevel + optional + automaticSampleSubmission + + + edr + + tags + + + key + GROUP + value + ExampleTag + + + + userInterface + + hideStatusMenuIcon + + + + + ``` 2. Save the file as `MDATP_MDAV_configuration_settings.plist`. @@ -266,11 +270,12 @@ You'll need to take the following steps: 4. Enter the following details: **General** - - Name: MDATP MDAV configuration settings - - Description:\ - - Category: None (default) - - Distribution Method: Install Automatically(default) - - Level: Computer Level(default) + + - Name: MDATP MDAV configuration settings + - Description:\ + - Category: None (default) + - Distribution Method: Install Automatically(default) + - Level: Computer Level(default) ![Image of configuration settings](images/3160906404bc5a2edf84d1d015894e3b.png) @@ -336,100 +341,21 @@ You'll need to take the following steps: These steps are applicable of macOS 10.15 (Catalina) or newer. -1. Use the following Microsoft Defender ATP notification configuration settings: +1. Download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig) -```xml - - - - PayloadContent - - - NotificationSettings - - - AlertType - 2 - BadgesEnabled - - BundleIdentifier - com.microsoft.autoupdate2 - CriticalAlertEnabled - GroupingType - 0 - NotificationsEnabled - - ShowInLockScreen - - ShowInNotificationCenter - - SoundsEnabled - - - - AlertType - 2BadgesEnabled - BundleIdentifier - com.microsoft.wdav.tray - CriticalAlertEnabled - GroupingType - 0 - NotificationsEnabled - ShowInLockScreen - ShowInNotificationCenter - SoundsEnabled - - - - PayloadDescription - PayloadDisplayName - notifications - PayloadEnabled - PayloadIdentifier - BB977315-E4CB-4915-90C7-8334C75A7C64 - PayloadOrganization - Microsoft - PayloadType - com.apple.notificationsettings - PayloadUUID - BB977315-E4CB-4915-90C7-8334C75A7C64 - PayloadVersion - 1 - - - PayloadDescription - PayloadDisplayName - mdatp - allow notifications - PayloadEnabled - PayloadIdentifier - 85F6805B-0106-4D23-9101-7F1DFD5EA6D6 - PayloadOrganization - Microsoft - PayloadRemovalDisallowed - PayloadScope - System - PayloadType - Configuration - PayloadUUID - 85F6805B-0106-4D23-9101-7F1DFD5EA6D6 - PayloadVersion - 1 - - - ``` - -2. Save it as `MDATP_MDAV_notification_settings.plist`. +2. Save it as `MDATP_MDAV_notification_settings.plist`. 3. In the Jamf Pro dashboard, select **General**. 4. Enter the following details: **General** - - Name: MDATP MDAV Notification settings - - Description: macOS 10.15 (Catalina) or newer - - Category: None (default) - - Distribution Method: Install Automatically(default) - - Level: Computer Level(default) + + - Name: MDATP MDAV Notification settings + - Description: macOS 10.15 (Catalina) or newer + - Category: None (default) + - Distribution Method: Install Automatically(default) + - Level: Computer Level(default) ![Image of configuration settings](images/c9820a5ff84aaf21635c04a23a97ca93.png) @@ -475,11 +401,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer. 1. Use the following Microsoft Defender ATP configuration settings: -```XML - - - - + ```XML + + + + ChannelName Production HowToCheck @@ -490,9 +416,9 @@ These steps are applicable of macOS 10.15 (Catalina) or newer. SendAllTelemetryEnabled - - -``` + + + ``` 2. Save it as `MDATP_MDAV_MAU_settings.plist`. @@ -503,11 +429,12 @@ These steps are applicable of macOS 10.15 (Catalina) or newer. 4. Enter the following details: **General** - - Name: MDATP MDAV MAU settings - - Description: Microsoft AutoUpdate settings for MDATP for macOS - - Category: None (default) - - Distribution Method: Install Automatically(default) - - Level: Computer Level(default) + + - Name: MDATP MDAV MAU settings + - Description: Microsoft AutoUpdate settings for MDATP for macOS + - Category: None (default) + - Distribution Method: Install Automatically(default) + - Level: Computer Level(default) 5. In **Application & Custom Settings** select **Configure**. @@ -582,10 +509,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer. - Identifier: `com.microsoft.wdav` - Identifier Type: Bundle ID - - Code Requirement: identifier `com.microsoft.wdav` and anchor apple generic and -certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate -leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate -leaf[subject.OU] = UBF8T346G9 + - Code Requirement: identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate leaf[subject.OU] = UBF8T346G9 ![Image of configuration setting](images/22cb439de958101c0a12f3038f905b27.png) @@ -594,32 +518,53 @@ leaf[subject.OU] = UBF8T346G9 ![Image of configuration setting](images/bd93e78b74c2660a0541af4690dd9485.png) + - Under App or service: Set to **SystemPolicyAllFiles** - - Under App or service: Set to **SystemPolicyAllFiles** - - - Under "access": Set to **Allow** + - Under "access": Set to **Allow** 7. Select **Save** (not the one at the bottom right). ![Image of configuration setting](images/6de50b4a897408ddc6ded56a09c09fe2.png) -8. Select the **Scope** tab. +8. Click the `+` sign next to **App Access** to add a new entry. + + ![Image of configuration setting](images/tcc-add-entry.png) + +9. Enter the following details: + + - Identifier: `com.microsoft.wdav.epsext` + - Identifier Type: Bundle ID + - Code Requirement: identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9 + +10. Select **+ Add**. + + ![Image of configuration setting](images/tcc-epsext-entry.png) + + - Under App or service: Set to **SystemPolicyAllFiles** + + - Under "access": Set to **Allow** + +11. Select **Save** (not the one at the bottom right). + + ![Image of configuration setting](images/tcc-epsext-entry2.png) + +12. Select the **Scope** tab. ![Image of configuration setting](images/2c49b16cd112729b3719724f581e6882.png) - 9. Select **+ Add**. +13. Select **+ Add**. ![Image of configuration setting](images/57cef926d1b9260fb74a5f460cee887a.png) -10. Select **Computer Groups** > under **Group Name** > select **Contoso's MachineGroup**. +14. Select **Computer Groups** > under **Group Name** > select **Contoso's MachineGroup**. ![Image of configuration setting](images/368d35b3d6179af92ffdbfd93b226b69.png) -11. Select **Add**. +15. Select **Add**. -12. Select **Save**. +16. Select **Save**. -13. Select **Done**. +17. Select **Done**. ![Image of configuration setting](images/809cef630281b64b8f07f20913b0039b.png) @@ -635,11 +580,12 @@ leaf[subject.OU] = UBF8T346G9 2. Enter the following details: **General** - - Name: MDATP MDAV Kernel Extension - - Description: MDATP kernel extension (kext) - - Category: None - - Distribution Method: Install Automatically - - Level: Computer Level + + - Name: MDATP MDAV Kernel Extension + - Description: MDATP kernel extension (kext) + - Category: None + - Distribution Method: Install Automatically + - Level: Computer Level ![Image of configuration settings](images/24e290f5fc309932cf41f3a280d22c14.png) @@ -648,11 +594,10 @@ leaf[subject.OU] = UBF8T346G9 ![Image of configuration settings](images/30be88b63abc5e8dde11b73f1b1ade6a.png) - 4. In **Approved Kernel Extensions** Enter the following details: - - Display Name: Microsoft Corp. - - Team ID: UBF8T346G9 + - Display Name: Microsoft Corp. + - Team ID: UBF8T346G9 ![Image of configuration settings](images/39cf120d3ac3652292d8d1b6d057bd60.png) @@ -677,10 +622,119 @@ leaf[subject.OU] = UBF8T346G9 ![Image of configuration settings](images/1c9bd3f68db20b80193dac18f33c22d0.png) -## Step 8: Schedule scans with Microsoft Defender ATP for Mac +## Step 8: Approve System extensions for Microsoft Defender ATP + +1. In the **Configuration Profiles**, select **+ New**. + + ![A screenshot of a social media post Description automatically generated](images/6c8b406ee224335a8c65d06953dc756e.png) + +2. Enter the following details: + + **General** + + - Name: MDATP MDAV System Extensions + - Description: MDATP system extensions + - Category: None + - Distribution Method: Install Automatically + - Level: Computer Level + + ![Image of configuration settings](images/sysext-new-profile.png) + +3. In **System Extensions** select **Configure**. + + ![Image of configuration settings](images/sysext-configure.png) + +4. In **System Extensions** enter the following details: + + - Display Name: Microsoft Corp. System Extensions + - System Extension Types: Allowed System Extensions + - Team Identifier: UBF8T346G9 + - Allowed System Extensions: + - **com.microsoft.wdav.epsext** + - **com.microsoft.wdav.netext** + + ![Image of configuration settings](images/sysext-configure2.png) + +5. Select the **Scope** tab. + + ![Image of configuration settings](images/0df36fc308ba569db204ee32db3fb40a.png) + +6. Select **+ Add**. + +7. Select **Computer Groups** > under **Group Name** > select **Contoso's Machine Group**. + +8. Select **+ Add**. + + ![Image of configuration settings](images/0dde8a4c41110dbc398c485433a81359.png) + +9. Select **Save**. + + ![Image of configuration settings](images/sysext-scope.png) + +10. Select **Done**. + + ![Image of configuration settings](images/sysext-final.png) + +## Step 9: Configure Network Extension + +As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality. + +>[!NOTE] +>JAMF doesn’t have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed. +>As such, the following steps provide a workaround that involve signing the configuration profile. + +1. Download `netfilter.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig) to your device and save it as `com.microsoft.network-extension.mobileconfig` + +2. Follow the instructions on [this page](https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority) to create a signing certificate using JAMF’s built-in certificate authority + +3. After the certificate is created and installed to your device, run the following command from the Terminal from a macOS device: + + ```bash + $ security cms -S -N "" -i com.microsoft.network-extension.mobileconfig -o com.microsoft.network-extension.signed.mobileconfig + ``` + + ![Terminal window with command to create signed configuration](images/netext-create-profile.png) + +4. From the JAMF portal, navigate to **Configuration Profiles** and click the **Upload** button. + + ![Image of upload window](images/netext-upload-file.png) + +5. Select **Choose File** and select `microsoft.network-extension.signed.mobileconfig`. + + ![Image of upload window](images/netext-choose-file.png) + +6. Select **Upload**. + + ![Image of upload window](images/netext-upload-file2.png) + +7. After uploading the file, you are redirected to a new page to finalize the creation of this profile. + + ![Image of new configuration profile](images/netext-profile-page.png) + +8. Select the **Scope** tab. + + ![Image of configuration settings](images/0df36fc308ba569db204ee32db3fb40a.png) + +9. Select **+ Add**. + +10. Select **Computer Groups** > under **Group Name** > select **Contoso's Machine Group**. + +11. Select **+ Add**. + + ![Image of configuration settings](images/0dde8a4c41110dbc398c485433a81359.png) + +12. Select **Save**. + + ![Image of configuration settings](images/netext-scope.png) + +13. Select **Done**. + + ![Image of configuration settings](images/netext-final.png) + +## Step 10: Schedule scans with Microsoft Defender ATP for Mac Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp). -## Step 9: Deploy Microsoft Defender ATP for macOS +## Step 11: Deploy Microsoft Defender ATP for macOS 1. Navigate to where you saved `wdav.pkg`. @@ -729,10 +783,12 @@ Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac]( ![Image of configuration settings](images/56dac54634d13b2d3948ab50e8d3ef21.png) 9. Select **Save**. The package is uploaded to Jamf Pro. - ![Image of configuration settings](images/33f1ecdc7d4872555418bbc3efe4b7a3.png) - It can take a few minutes for the package to be available for deployment. - ![Image of configuration settings](images/1626d138e6309c6e87bfaab64f5ccf7b.png) + ![Image of configuration settings](images/33f1ecdc7d4872555418bbc3efe4b7a3.png) + + It can take a few minutes for the package to be available for deployment. + + ![Image of configuration settings](images/1626d138e6309c6e87bfaab64f5ccf7b.png) 10. Navigate to the **Policies** page. @@ -765,25 +821,31 @@ Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac]( ![Image of configuration settings](images/526b83fbdbb31265b3d0c1e5fbbdc33a.png) 17. Select **Save**. + ![Image of configuration settings](images/9d6e5386e652e00715ff348af72671c6.png) -18. Select the **Scope** tab. +18. Select the **Scope** tab. + ![Image of configuration settings](images/8d80fe378a31143db9be0bacf7ddc5a3.png) 19. Select the target computers. ![Image of configuration settings](images/6eda18a64a660fa149575454e54e7156.png) - **Scope**
+ **Scope** + Select **Add**. + ![Image of configuration settings](images/1c08d097829863778d562c10c5f92b67.png) ![Image of configuration settings](images/216253cbfb6ae738b9f13496b9c799fd.png) - **Self-Service**
+ **Self-Service** + ![Image of configuration settings](images/c9f85bba3e96d627fe00fc5a8363b83a.png) 20. Select **Done**. + ![Image of configuration settings](images/99679a7835b0d27d0a222bc3fdaf7f3b.png) ![Image of configuration settings](images/632aaab79ae18d0d2b8e0c16b6ba39e2.png)