Merge branch 'master' into repo_sync_working_branch

windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md

@@ -29,7 +29,7 @@ Endpoint detection and response capabilities in Microsoft Defender ATP for Mac a
 
 ## Enable the Insider program with Jamf
 
-a. Create configuration profile com.microsoft.wdav.plist with the following content:
+1. Create configuration profile com.microsoft.wdav.plist with the following content:
 
    ```XML
        <?xml version="1.0" encoding="UTF-8"?>
@@ -45,16 +45,16 @@ a. Create configuration profile com.microsoft.wdav.plist with the following cont
        </plist>
    ```
 
-b. From the JAMF console, navigate to  **Computers > Configuration Profiles**, navigate to the configuration profile you'd like to use, then select  **Custom Settings**.
+1. From the JAMF console, navigate to  **Computers > Configuration Profiles**, navigate to the configuration profile you'd like to use, then select  **Custom Settings**.
 
-c. Create an entry with com.microsoft.wdav as the preference domain and upload the .plist created earlier.
+1. Create an entry with com.microsoft.wdav as the preference domain and upload the .plist created earlier.
 
    > [!WARNING]
    > You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product
 
 ## Enable the Insider program with Intune
 
-a. Create configuration profile com.microsoft.wdav.plist with the following content:
+1. Create configuration profile com.microsoft.wdav.plist with the following content:
 
     ```XML
        <?xml version="1.0" encoding="utf-8"?>
@@ -111,19 +111,19 @@ a. Create configuration profile com.microsoft.wdav.plist with the following cont
        </plist>
    ```
 
-b. Open  **Manage > Device configuration**. Select  **Manage > Profiles > Create Profile**.
+1. Open  **Manage > Device configuration**. Select  **Manage > Profiles > Create Profile**.
 
-c. Choose a name for the profile. Change  **Platform=macOS**  to  **Profile type=Custom**. Select  **Configure**.
+1. Choose a name for the profile. Change  **Platform=macOS**  to  **Profile type=Custom**. Select  **Configure**.
 
-d. Save the .plist created earlier as com.microsoft.wdav.xml.
+1. Save the .plist created earlier as com.microsoft.wdav.xml.
 
-e. Enter com.microsoft.wdav as the custom configuration profile name.
+1. Enter com.microsoft.wdav as the custom configuration profile name.
 
-f. Open the configuration profile and upload com.microsoft.wdav.xml. This file was created in step 1.
+1. Open the configuration profile and upload com.microsoft.wdav.xml. This file was created in step 1.
 
-g. Select  **OK**.
+1. Select  **OK**.
 
-h. Select  **Manage > Assignments**. In the  **Include**  tab, select  **Assign to All Users & All devices**.
+1. Select  **Manage > Assignments**. In the  **Include**  tab, select  **Assign to All Users & All devices**.
 
    > [!WARNING]
    > You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product.
@@ -161,4 +161,4 @@ After a successful deployment and onboarding of the correct version, check that
 
 * Check that you enabled the early preview flag. In terminal run “mdatp –health” and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”.
 
-If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment).
+If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation-macos-1015-and-older-versions) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment).

windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md

@@ -28,7 +28,8 @@ ms.topic: conceptual
 
 This topic describes how to deploy Microsoft Defender ATP for macOS manually. A successful deployment requires the completion of all of the following steps:
 - [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
-- [Application installation](#application-installation)
+- [Application installation (macOS 10.15 and older versions)](#application-installation-macos-1015-and-older-versions)
+- [Application installation (macOS 11 and newer versions)](#application-installation-macos-11-and-newer-versions)
 - [Client configuration](#client-configuration)
 
 ## Prerequisites and system requirements
@@ -48,7 +49,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi
 
 5. From a command prompt, verify that you have the two files.
     
-## Application installation
+## Application installation (macOS 10.15 and older versions)
 
 To complete this process, you must have admin privileges on the device.
 
@@ -77,6 +78,34 @@ To complete this process, you must have admin privileges on the device.
 > [!NOTE]
 > macOS may request to reboot the device upon the first installation of Microsoft Defender. Real-time protection will not be available until the device is rebooted.
 
+## Application installation (macOS 11 and newer versions)
+
+To complete this process, you must have admin privileges on the device.
+
+1. Navigate to the downloaded wdav.pkg in Finder and open it.
+
+    ![App install screenshot](images/big-sur-install-1.png)
+
+2. Select **Continue**, agree with the License terms, and enter the password when prompted.
+
+3. At the end of the installation process, you will be promoted to approve the system extensions used by the product. Select **Open Security Preferences**.
+
+    ![System extension approval](images/big-sur-install-2.png)
+
+4. From the **Security & Privacy** window, select **Allow**.
+
+    ![System extension security preferences](images/big-sur-install-3.png)
+
+5. Repeat steps 3 & 4 for all system extensions distributed with Microsoft Defender ATP for Mac.
+
+6. As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. When prompted to grant Microsoft Defender ATP permissions to filter network traffic, select **Allow**.
+
+    ![System extension security preferences](images/big-sur-install-4.png)
+
+7. Open **System Preferences** > **Security & Privacy** and navigate to the **Privacy** tab. Grant **Full Disk Access** permission to **Microsoft Defender ATP** and **Microsoft Defender ATP Endpoint Security Extension**.
+
+    ![Full disk access](images/big-sur-install-5.png)
+
 ## Client configuration
 
 1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the device where you deploy Microsoft Defender ATP for macOS.

windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md

@@ -34,6 +34,7 @@ This topic describes how to deploy Microsoft Defender ATP for Mac through Intune
 
 1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
 1. [Client device setup](#client-device-setup)
+1. [Approve system extensions](#approve-system-extensions)
 1. [Create System Configuration profiles](#create-system-configuration-profiles)
 1. [Publish application](#publish-application)
 
@@ -48,24 +49,30 @@ The following table summarizes the steps you would need to take to deploy and ma
 | Step | Sample file names | BundleIdentifier |
 |-|-|-|
 | [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp |
+| [Approve System Extension for Microsoft Defender ATP](#approve-system-extensions) | MDATP_SysExt.xml | N/A |
 | [Approve Kernel Extension for Microsoft Defender ATP](#download-installation-and-onboarding-packages) | MDATP_KExt.xml | N/A |
 | [Grant full disk access to Microsoft Defender ATP](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc |
+| [Network Extension policy](#create-system-configuration-profiles-step-9) | MDATP_NetExt.xml | N/A |
 | [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 |
 | [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)<br/><br/> **Note:** If you are planning to run a third party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav |
-| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-9) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray |
+| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-10) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray |
 
 ## Download installation and onboarding packages
 
 Download the installation and onboarding packages from Microsoft Defender Security Center:
 
 1. In Microsoft Defender Security Center, go to **Settings** > **Device Management** > **Onboarding**.
+
 2. Set the operating system to **macOS** and the deployment method to **Mobile Device Management / Microsoft Intune**.
 
     ![Onboarding settings screenshot](images/atp-mac-install.png)
 
 3. Select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
+
 4. Select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
+
 5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos).
+
 6. From a command prompt, verify that you have the three files.
   
 
@@ -134,199 +141,81 @@ You may now enroll more devices. You can also enroll them later, after you have
 
 3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed:
 
-![Add Devices screenshot](../microsoft-defender-antivirus/images/MDATP-5-allDevices.png)
+   > [!div class="mx-imgBorder"]
+   > ![Add Devices screenshot](../microsoft-defender-antivirus/images/MDATP-5-allDevices.png)
+
+## Approve System Extensions
+
+To approve the system extensions:
+
+1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
+
+2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Extensions**. Select **Create**.
+
+3. In the `Basics` tab, give a name to this new profile.
+
+4. In the `Configuration settings` tab, add the following entries in the `Allowed system extensions` section:
+
+    Bundle identifier         | Team identifier
+    --------------------------|----------------
+    com.microsoft.wdav.epsext | UBF8T346G9
+    com.microsoft.wdav.netext | UBF8T346G9
+
+    > [!div class="mx-imgBorder"]
+    > ![System configuration profiles screenshot](images/mac-system-extension-intune2.png)
+
+5. In the `Assignments` tab, assign this profile to **All Users & All devices**.
+
+6. Review and create this configuration profile.
 
 ## Create System Configuration profiles
 
 1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
+
 2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
+
 3. Open the configuration profile and upload intune/kext.xml. This file was created in one of the preceding sections.
+
 4. Select **OK**.
 
     ![System configuration profiles screenshot](../microsoft-defender-antivirus/images/MDATP-6-SystemConfigurationProfiles.png)
 
 5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
+
 6. Repeat steps 1 through 5 for more profiles.
+
 7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file.
-8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it.<a name="create-system-configuration-profiles-step-8" id = "create-system-configuration-profiles-step-8"></a>
+
+8. Download `fulldisk.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) and save it as `tcc.xml`. Create another profile, give it any name and upload this file to it.<a name="create-system-configuration-profiles-step-8" id = "create-system-configuration-profiles-step-8"></a>
 
    > [!CAUTION]
    > macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
    >
-   > The following configuration profile grants Full Disk Access to Microsoft Defender ATP. If you previously configured Microsoft Defender ATP through Intune, we recommend you update the deployment with this configuration profile.
+   > This configuration profile grants Full Disk Access to Microsoft Defender ATP. If you previously configured Microsoft Defender ATP through Intune, we recommend you update the deployment with this configuration profile.
 
-   ```xml
+9. As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality. Download `netfilter.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig), save it as netext.xml and deploy it using the same steps as in the previous sections. <a name = "create-system-configuration-profiles-step-9" id = "create-system-configuration-profiles-step-9"></a>
-   <?xml version="1.0" encoding="UTF-8"?>
-   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-   <plist version="1.0">
-   <dict>
-       <key>PayloadDescription</key>
-       <string>Allows Microsoft Defender to access all files on Catalina+</string>
-       <key>PayloadDisplayName</key>
-       <string>TCC - Microsoft Defender</string>
-       <key>PayloadIdentifier</key>
-       <string>com.microsoft.wdav.tcc</string>
-       <key>PayloadOrganization</key>
-       <string>Microsoft Corp.</string>
-       <key>PayloadRemovalDisallowed</key>
-       <false/>
-       <key>PayloadScope</key>
-       <string>system</string>
-       <key>PayloadType</key>
-       <string>Configuration</string>
-       <key>PayloadUUID</key>
-       <string>C234DF2E-DFF6-11E9-B279-001C4299FB44</string>
-       <key>PayloadVersion</key>
-       <integer>1</integer>
-       <key>PayloadContent</key>
-       <array>
-       <dict>
-           <key>PayloadDescription</key>
-           <string>Allows Microsoft Defender to access all files on Catalina+</string>
-           <key>PayloadDisplayName</key>
-           <string>TCC - Microsoft Defender</string>
-           <key>PayloadIdentifier</key>
-           <string>com.microsoft.wdav.tcc.C233A5E6-DFF6-11E9-BDAD-001C4299FB44</string>
-           <key>PayloadOrganization</key>
-           <string>Microsoft Corp.</string>
-           <key>PayloadType</key>
-           <string>com.apple.TCC.configuration-profile-policy</string>
-           <key>PayloadUUID</key>
-           <string>C233A5E6-DFF6-11E9-BDAD-001C4299FB44</string>
-           <key>PayloadVersion</key>
-           <integer>1</integer>
-           <key>Services</key>
-           <dict>
-               <key>SystemPolicyAllFiles</key>
-               <array>
-               <dict>
-                   <key>Allowed</key>
-                   <true/>
-                   <key>CodeRequirement</key>
-                   <string>identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
-                   <key>Comment</key>
-                   <string>Allow SystemPolicyAllFiles control for Microsoft Defender ATP</string>
-                   <key>Identifier</key>
-                   <string>com.microsoft.wdav</string>
-                   <key>IdentifierType</key>
-                   <string>bundleID</string>
-               </dict>
-               </array>
-           </dict>
-       </dict>
-       </array>
-   </dict>
-   </plist>
-   ```
 
-9. To allow Defender and Auto Update to display notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload: <a name = "create-system-configuration-profiles-step-9" id = "create-system-configuration-profiles-step-9"></a>
+10. To allow Defender and Auto Update to display notifications in UI on macOS 10.15 (Catalina), download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig) and import it as a custom payload. <a name = "create-system-configuration-profiles-step-10" id = "create-system-configuration-profiles-step-10"></a>
 
-   ```xml
+11. Select **Manage > Assignments**.  In the **Include** tab, select **Assign to All Users & All devices**.
-   <?xml version="1.0" encoding="UTF-8"?>
-   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-   <plist version="1.0">
-     <dict>
-       <key>PayloadContent</key>
-       <array>
-         <dict>
-           <key>NotificationSettings</key>
-           <array>
-             <dict>
-               <key>AlertType</key>
-               <integer>2</integer>
-               <key>BadgesEnabled</key>
-               <true/>
-               <key>BundleIdentifier</key>
-               <string>com.microsoft.autoupdate2</string>
-               <key>CriticalAlertEnabled</key>
-               <false/>
-               <key>GroupingType</key>
-               <integer>0</integer>
-               <key>NotificationsEnabled</key>
-               <true/>
-               <key>ShowInLockScreen</key>
-               <false/>
-               <key>ShowInNotificationCenter</key>
-               <true/>
-               <key>SoundsEnabled</key>
-               <true/>
-             </dict>
-             <dict>
-               <key>AlertType</key>
-               <integer>2</integer>
-               <key>BadgesEnabled</key>
-               <true/>
-               <key>BundleIdentifier</key>
-               <string>com.microsoft.wdav.tray</string>
-               <key>CriticalAlertEnabled</key>
-               <false/>
-               <key>GroupingType</key>
-               <integer>0</integer>
-               <key>NotificationsEnabled</key>
-               <true/>
-               <key>ShowInLockScreen</key>
-               <false/>
-               <key>ShowInNotificationCenter</key>
-               <true/>
-               <key>SoundsEnabled</key>
-               <true/>
-             </dict>
-           </array>
-           <key>PayloadDescription</key>
-           <string/>
-           <key>PayloadDisplayName</key>
-           <string>notifications</string>
-           <key>PayloadEnabled</key>
-           <true/>
-           <key>PayloadIdentifier</key>
-           <string>BB977315-E4CB-4915-90C7-8334C75A7C64</string>
-           <key>PayloadOrganization</key>
-           <string>Microsoft</string>
-           <key>PayloadType</key>
-           <string>com.apple.notificationsettings</string>
-           <key>PayloadUUID</key>
-           <string>BB977315-E4CB-4915-90C7-8334C75A7C64</string>
-           <key>PayloadVersion</key>
-           <integer>1</integer>
-         </dict>
-       </array>
-       <key>PayloadDescription</key>
-       <string/>
-       <key>PayloadDisplayName</key>
-       <string>mdatp - allow notifications</string>
-       <key>PayloadEnabled</key>
-       <true/>
-       <key>PayloadIdentifier</key>
-       <string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
-       <key>PayloadOrganization</key>
-       <string>Microsoft</string>
-       <key>PayloadRemovalDisallowed</key>
-       <false/>
-       <key>PayloadScope</key>
-       <string>System</string>
-       <key>PayloadType</key>
-       <string>Configuration</string>
-       <key>PayloadUUID</key>
-       <string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
-       <key>PayloadVersion</key>
-       <integer>1</integer>
-     </dict>
-   </plist>
-   ```
-
-10. Select **Manage > Assignments**.  In the **Include** tab, select **Assign to All Users & All devices**.
 
 Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**:
 
-![System configuration profiles screenshot](../microsoft-defender-antivirus/images/MDATP-7-DeviceStatusBlade.png)
+> [!div class="mx-imgBorder"]
+> ![System configuration profiles screenshot](../microsoft-defender-antivirus/images/MDATP-7-DeviceStatusBlade.png)
 
 ## Publish application
 
 1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**.
+
 2. Select **App type=Other/Line-of-business app**.
+
 3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload.
+
 4. Select **Configure** and add the required information.
+
 5. Use **macOS High Sierra 10.13** as the minimum OS.
+
 6. Set *Ignore app version* to **Yes**. Other settings can be any arbitrary value.
 
     > [!CAUTION]
@@ -334,24 +223,30 @@ Once the Intune changes are propagated to the enrolled devices, you can see them
     >
     > If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client device, then uninstall Defender and push the updated policy.
     
-    ![Device status blade screenshot](../microsoft-defender-antivirus/images/MDATP-8-IntuneAppInfo.png)
+    > [!div class="mx-imgBorder"]
+    > ![Device status blade screenshot](../microsoft-defender-antivirus/images/MDATP-8-IntuneAppInfo.png)
 
 7. Select **OK** and **Add**.
 
-    ![Device status blade screenshot](../microsoft-defender-antivirus/images/MDATP-9-IntunePkgInfo.png)
+    > [!div class="mx-imgBorder"]
+    > ![Device status blade screenshot](../microsoft-defender-antivirus/images/MDATP-9-IntunePkgInfo.png)
 
 8. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**.
 
-    ![Client apps screenshot](../microsoft-defender-antivirus/images/MDATP-10-ClientApps.png)
+    > [!div class="mx-imgBorder"]
+    > ![Client apps screenshot](../microsoft-defender-antivirus/images/MDATP-10-ClientApps.png)
 
 9. Change **Assignment type** to **Required**.
+
 10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
 
-    ![Intune assignments info screenshot](../microsoft-defender-antivirus/images/MDATP-11-Assignments.png)
+    > [!div class="mx-imgBorder"]
+    > ![Intune assignments info screenshot](../microsoft-defender-antivirus/images/MDATP-11-Assignments.png)
 
 11. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**:
 
-    ![Intune device status screenshot](../microsoft-defender-antivirus/images/MDATP-12-DeviceInstall.png)
+    > [!div class="mx-imgBorder"]
+    > ![Intune device status screenshot](../microsoft-defender-antivirus/images/MDATP-12-DeviceInstall.png)
 
 ## Verify client device state
 
@@ -365,7 +260,8 @@ Once the Intune changes are propagated to the enrolled devices, you can see them
 
 3. You should also see the Microsoft Defender icon in the top-right corner:
 
-    ![Microsoft Defender icon in status bar screenshot](../microsoft-defender-antivirus/images/MDATP-Icon-Bar.png)
+    > [!div class="mx-imgBorder"]
+    > ![Microsoft Defender icon in status bar screenshot](../microsoft-defender-antivirus/images/MDATP-Icon-Bar.png)
 
 ## Troubleshooting
 

windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md

@@ -70,13 +70,44 @@ Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be ext
 Your system may support an arbitrary property list in XML format. You can upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case.
 Alternatively, it may require you to convert the property list to a different format first.
 
-Typically, your custom profile has an id, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp" for this value.
+Typically, your custom profile has an ID, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp" for this value.
 MDM uses it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client device, and Defender uses this file for loading the onboarding information.
 
 ### Kernel extension policy
 
 Set up a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to allow kernel extensions provided by Microsoft.
 
+### System extension policy
+
+Set up a system extension policy. Use team identifier **UBF8T346G9** and approve the following bundle identifiers:
+
+- com.microsoft.wdav.epsext
+- com.microsoft.wdav.netext
+
+### Full disk access policy
+
+Grant Full Disk Access to the following components:
+
+- Microsoft Defender ATP
+    - Identifier: `com.microsoft.wdav`
+    - Identifier Type: Bundle ID
+    - Code Requirement: identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate leaf[subject.OU] = UBF8T346G9
+
+- Microsoft Defender ATP Endpoint Security Extension
+    - Identifier: `com.microsoft.wdav.epsext`
+    - Identifier Type: Bundle ID
+    - Code Requirement: identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
+
+### Network extension policy
+
+As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.
+
+- Filter type: Plugin
+- Plugin bundle identifier: `com.microsoft.wdav`
+- Filter data provider bundle identifier: `com.microsoft.wdav.netext`
+- Filter data provider designated requirement: identifier "com.microsoft.wdav.netext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
+- Filter sockets: `true`
+
 ## Check installation status
 
 Run [mdatp](mac-install-with-jamf.md) on a client device to check the onboarding status.

windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md

@@ -44,9 +44,13 @@ You'll need to take the following steps:
 
 7. [Approve Kernel extension for Microsoft Defender ATP](#step-7-approve-kernel-extension-for-microsoft-defender-atp)
 
-8. [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp)
+8. [Approve System extensions for Microsoft Defender ATP](#step-8-approve-system-extensions-for-microsoft-defender-atp)
 
-9. [Deploy Microsoft Defender ATP for macOS](#step-9-deploy-microsoft-defender-atp-for-macos)
+9. [Configure Network Extension](#step-9-configure-network-extension)
+
+10. [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp)
+
+11. [Deploy Microsoft Defender ATP for macOS](#step-11-deploy-microsoft-defender-atp-for-macos)
 
 
 ## Step 1: Get the Microsoft Defender ATP onboarding package
@@ -266,6 +270,7 @@ You'll need to take the following steps:
 4. Enter the following details:
 
     **General**
+    
     - Name: MDATP MDAV configuration settings
     - Description:\<blank\>
     - Category: None (default)
@@ -336,87 +341,7 @@ You'll need to take the following steps:
 
 These steps are applicable of macOS 10.15 (Catalina) or newer.
 
-1. Use the following Microsoft Defender ATP notification configuration settings:
+1. Download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig)
-
-```xml
-<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-    <dict>
-        <key>PayloadContent</key>
-            <array>
-                <dict>
-                    <key>NotificationSettings</key>
-                    <array>
-                        <dict>
-                            <key>AlertType</key>
-                            <integer>2</integer>
-                            <key>BadgesEnabled</key>
-                            <true/>
-                            <key>BundleIdentifier</key>
-                            <string>com.microsoft.autoupdate2</string>
-                            <key>CriticalAlertEnabled</key>
-                            <false/><key>GroupingType</key>
-                            <integer>0</integer>
-                            <key>NotificationsEnabled</key>
-                            <true/>
-                            <key>ShowInLockScreen</key>
-                            <false/>
-                            <key>ShowInNotificationCenter</key>
-                            <true/>
-                            <key>SoundsEnabled</key>
-                            <true/>
-                        </dict>
-                        <dict>
-                            <key>AlertType</key>
-                            <integer>2</integer><key>BadgesEnabled</key>
-                            <true/><key>BundleIdentifier</key>
-                            <string>com.microsoft.wdav.tray</string>
-                            <key>CriticalAlertEnabled</key>
-                            <false/><key>GroupingType</key>
-                            <integer>0</integer>
-                            <key>NotificationsEnabled</key>
-                            <true/><key>ShowInLockScreen</key>
-                            <false/><key>ShowInNotificationCenter</key>
-                            <true/><key>SoundsEnabled</key>
-                            <true/>
-                        </dict>
-                    </array>
-                    <key>PayloadDescription</key>
-                    <string/><key>PayloadDisplayName</key>
-                    <string>notifications</string>
-                    <key>PayloadEnabled</key>
-                    <true/><key>PayloadIdentifier</key>
-                    <string>BB977315-E4CB-4915-90C7-8334C75A7C64</string>
-                    <key>PayloadOrganization</key>
-                    <string>Microsoft</string>
-                    <key>PayloadType</key>
-                    <string>com.apple.notificationsettings</string>
-                    <key>PayloadUUID</key>
-                    <string>BB977315-E4CB-4915-90C7-8334C75A7C64</string>
-                    <key>PayloadVersion</key>
-                    <integer>1</integer>
-                </dict>
-            </array>
-            <key>PayloadDescription</key>
-            <string/><key>PayloadDisplayName</key>
-            <string>mdatp - allow notifications</string>
-            <key>PayloadEnabled</key><true/>
-            <key>PayloadIdentifier</key>
-            <string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
-            <key>PayloadOrganization</key>
-            <string>Microsoft</string>
-            <key>PayloadRemovalDisallowed</key>
-            <false/><key>PayloadScope</key>
-            <string>System</string>
-            <key>PayloadType</key>
-            <string>Configuration</string>
-            <key>PayloadUUID</key>
-            <string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
-            <key>PayloadVersion</key>
-            <integer>1</integer>
-    </dict>
- </plist>   
-   ```
 
 2. Save it as `MDATP_MDAV_notification_settings.plist`.
 
@@ -425,6 +350,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
 4. Enter the following details:
 
     **General** 
+    
     - Name: MDATP MDAV Notification settings
     - Description: macOS 10.15 (Catalina) or newer
     - Category: None (default)
@@ -503,6 +429,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
 4. Enter the following details:
 
     **General** 
+    
     - Name: MDATP MDAV MAU settings
     - Description: Microsoft AutoUpdate settings for MDATP for macOS
     - Category: None (default)
@@ -582,10 +509,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
 
     - Identifier: `com.microsoft.wdav`
     - Identifier Type: Bundle ID
-    - Code Requirement: identifier `com.microsoft.wdav` and anchor apple generic and
+    - Code Requirement: identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate leaf[subject.OU] = UBF8T346G9
-certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate
-leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate
-leaf[subject.OU] = UBF8T346G9
 
 
     ![Image of configuration setting](images/22cb439de958101c0a12f3038f905b27.png)
@@ -594,7 +518,6 @@ leaf[subject.OU] = UBF8T346G9
 
     ![Image of configuration setting](images/bd93e78b74c2660a0541af4690dd9485.png)
 
-
     - Under App or service: Set to **SystemPolicyAllFiles**
 
     - Under "access": Set to **Allow**
@@ -603,23 +526,45 @@ leaf[subject.OU] = UBF8T346G9
 
     ![Image of configuration setting](images/6de50b4a897408ddc6ded56a09c09fe2.png)
 
-8. Select the **Scope** tab.
+8. Click the `+` sign next to **App Access** to add a new entry.
+
+    ![Image of configuration setting](images/tcc-add-entry.png)
+
+9. Enter the following details:
+
+    - Identifier: `com.microsoft.wdav.epsext`
+    - Identifier Type: Bundle ID
+    - Code Requirement: identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
+
+10. Select **+ Add**.
+
+    ![Image of configuration setting](images/tcc-epsext-entry.png)
+
+    - Under App or service: Set to **SystemPolicyAllFiles**
+
+    - Under "access": Set to **Allow**
+
+11. Select **Save** (not the one at the bottom right).
+
+    ![Image of configuration setting](images/tcc-epsext-entry2.png)
+
+12. Select the **Scope** tab.
 
     ![Image of configuration setting](images/2c49b16cd112729b3719724f581e6882.png)
 
- 9. Select **+ Add**.
+13. Select **+ Add**.
 
     ![Image of configuration setting](images/57cef926d1b9260fb74a5f460cee887a.png)
 
-10. Select **Computer Groups** > under **Group Name** > select **Contoso's MachineGroup**. 
+14. Select **Computer Groups** > under **Group Name** > select **Contoso's MachineGroup**. 
 
     ![Image of configuration setting](images/368d35b3d6179af92ffdbfd93b226b69.png)
 
-11. Select **Add**. 
+15. Select **Add**. 
 
-12. Select **Save**. 
+16. Select **Save**. 
     
-13. Select **Done**.
+17. Select **Done**.
     
     ![Image of configuration setting](images/809cef630281b64b8f07f20913b0039b.png)
     
@@ -635,6 +580,7 @@ leaf[subject.OU] = UBF8T346G9
 2. Enter the following details:
 
     **General** 
+    
     - Name: MDATP MDAV Kernel Extension
     - Description: MDATP kernel extension (kext)
     - Category: None
@@ -648,7 +594,6 @@ leaf[subject.OU] = UBF8T346G9
     ![Image of configuration settings](images/30be88b63abc5e8dde11b73f1b1ade6a.png)
 
    
-
 4. In **Approved Kernel Extensions** Enter the following details:
 
     - Display Name: Microsoft Corp.
@@ -677,10 +622,119 @@ leaf[subject.OU] = UBF8T346G9
     ![Image of configuration settings](images/1c9bd3f68db20b80193dac18f33c22d0.png)
 
 
-## Step 8: Schedule scans with Microsoft Defender ATP for Mac
+## Step 8: Approve System extensions for Microsoft Defender ATP
+
+1. In the **Configuration Profiles**, select **+ New**.
+
+    ![A screenshot of a social media post Description automatically generated](images/6c8b406ee224335a8c65d06953dc756e.png)
+
+2. Enter the following details:
+
+    **General**
+    
+    - Name: MDATP MDAV System Extensions
+    - Description: MDATP system extensions
+    - Category: None
+    - Distribution Method: Install Automatically
+    - Level: Computer Level
+
+    ![Image of configuration settings](images/sysext-new-profile.png)
+
+3. In **System Extensions** select **Configure**.
+
+   ![Image of configuration settings](images/sysext-configure.png)
+
+4. In **System Extensions** enter the following details:
+
+   - Display Name: Microsoft Corp. System Extensions
+   - System Extension Types: Allowed System Extensions
+   - Team Identifier: UBF8T346G9
+   - Allowed System Extensions:
+     - **com.microsoft.wdav.epsext**
+     - **com.microsoft.wdav.netext**
+
+    ![Image of configuration settings](images/sysext-configure2.png)
+
+5. Select the **Scope** tab.
+
+    ![Image of configuration settings](images/0df36fc308ba569db204ee32db3fb40a.png)
+
+6. Select **+ Add**.
+
+7. Select **Computer Groups** > under **Group Name** > select **Contoso's Machine Group**.
+
+8. Select **+ Add**.
+
+   ![Image of configuration settings](images/0dde8a4c41110dbc398c485433a81359.png)
+
+9. Select **Save**.
+
+   ![Image of configuration settings](images/sysext-scope.png)
+
+10. Select **Done**.
+
+    ![Image of configuration settings](images/sysext-final.png)
+
+## Step 9: Configure Network Extension
+
+As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.
+
+>[!NOTE]
+>JAMF doesn’t have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed.
+>As such, the following steps provide a workaround that involve signing the configuration profile.
+
+1. Download `netfilter.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig) to your device and save it as `com.microsoft.network-extension.mobileconfig`
+
+2. Follow the instructions on [this page](https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority) to create a signing certificate using JAMF’s built-in certificate authority
+
+3. After the certificate is created and installed to your device, run the following command from the Terminal from a macOS device:
+
+   ```bash
+   $ security cms -S -N "<certificate name>" -i com.microsoft.network-extension.mobileconfig -o com.microsoft.network-extension.signed.mobileconfig
+   ```
+
+   ![Terminal window with command to create signed configuration](images/netext-create-profile.png)
+
+4. From the JAMF portal, navigate to **Configuration Profiles** and click the **Upload** button. 
+
+   ![Image of upload window](images/netext-upload-file.png)
+
+5. Select **Choose File** and select `microsoft.network-extension.signed.mobileconfig`.
+
+   ![Image of upload window](images/netext-choose-file.png)
+
+6. Select **Upload**.
+
+   ![Image of upload window](images/netext-upload-file2.png)
+
+7. After uploading the file, you are redirected to a new page to finalize the creation of this profile.
+
+   ![Image of new configuration profile](images/netext-profile-page.png)
+
+8. Select the **Scope** tab.
+
+   ![Image of configuration settings](images/0df36fc308ba569db204ee32db3fb40a.png)
+
+9. Select **+ Add**.
+
+10. Select **Computer Groups** > under **Group Name** > select **Contoso's Machine Group**.
+
+11. Select **+ Add**.
+
+    ![Image of configuration settings](images/0dde8a4c41110dbc398c485433a81359.png)
+
+12. Select **Save**.
+
+    ![Image of configuration settings](images/netext-scope.png)
+
+13. Select **Done**.
+
+    ![Image of configuration settings](images/netext-final.png)
+
+## Step 10: Schedule scans with Microsoft Defender ATP for Mac
 Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp).
 
-## Step 9: Deploy Microsoft Defender ATP for macOS
+## Step 11: Deploy Microsoft Defender ATP for macOS
 
 1. Navigate to where you saved `wdav.pkg`.
 
@@ -729,9 +783,11 @@ Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac](
      ![Image of configuration settings](images/56dac54634d13b2d3948ab50e8d3ef21.png)
    
 9. Select **Save**. The package is uploaded to Jamf Pro. 
+
    ![Image of configuration settings](images/33f1ecdc7d4872555418bbc3efe4b7a3.png)
 
    It can take a few minutes for the package to be available for deployment.
+   
    ![Image of configuration settings](images/1626d138e6309c6e87bfaab64f5ccf7b.png)
 
 10. Navigate to the **Policies** page.
@@ -765,25 +821,31 @@ Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac](
     ![Image of configuration settings](images/526b83fbdbb31265b3d0c1e5fbbdc33a.png)
 
 17. Select **Save**.
+
     ![Image of configuration settings](images/9d6e5386e652e00715ff348af72671c6.png)
 
 18. Select the **Scope** tab.  
+
     ![Image of configuration settings](images/8d80fe378a31143db9be0bacf7ddc5a3.png)
 
 19. Select the target computers.
 
     ![Image of configuration settings](images/6eda18a64a660fa149575454e54e7156.png)
 
-    **Scope**<br>
+    **Scope**
+    
     Select **Add**.
+    
     ![Image of configuration settings](images/1c08d097829863778d562c10c5f92b67.png)
 
     ![Image of configuration settings](images/216253cbfb6ae738b9f13496b9c799fd.png)
 
-    **Self-Service** <br>
+    **Self-Service**
+    
     ![Image of configuration settings](images/c9f85bba3e96d627fe00fc5a8363b83a.png)
 
 20. Select **Done**. 
+
     ![Image of configuration settings](images/99679a7835b0d27d0a222bc3fdaf7f3b.png)
 
     ![Image of configuration settings](images/632aaab79ae18d0d2b8e0c16b6ba39e2.png)