diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-approved-system-extensions.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-approved-system-extensions.png
new file mode 100644
index 0000000000..ca34ebef45
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-approved-system-extensions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-intune.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-intune.png
new file mode 100644
index 0000000000..ee61f80008
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-intune.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-privacy.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-privacy.png
new file mode 100644
index 0000000000..9ed9edc068
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-privacy.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md
new file mode 100644
index 0000000000..0dffc901a9
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md
@@ -0,0 +1,284 @@
+---
+title: New configuration profiles for macOS Catalina and newer versions of macOS
+description: This topic describes the changes that are need to be made in order to benefit from the system extensions, which are a replacement for kernel extensions on macOS Catalina and newer versions of macOS.
+keywords: microsoft, defender, atp, mac, kernel, system, extensions, catalina
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: security
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# New configuration profiles for macOS Catalina and newer versions of macOS
+
+In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions. This update will only be applicable to macOS Catalina (10.15) and newer version of macOS.
+
+If you have deployed Microsoft Defender ATP for Mac in a managed environment (through JAMF, Intune, or another MDM solution), you must deploy new configuration profiles. Failure to do this will result in users getting approval prompts to run these new components.
+
+## JAMF
+
+### System Extensions Policy
+
+To approve the system extensions, create the following payload:
+
+1. In **Computers > Configuration Profiles** select **Options > System Extensions**.
+2. Select **Allowed System Extensions** from the **System Extension Types** drop-down list.
+3. Use **UBF8T346G9** for Team Id.
+4. Add the following bundle identifiers to the **Allowed System Extensions** list:
+
+ - **com.microsoft.wdav.epsext**
+ - **com.microsoft.wdav.netext**
+ - **com.microsoft.wdav.tunnelext**
+
+ 
+
+### Privacy Preferences Policy Control
+
+Add the following JAMF payload to grant Full Disk Access to the Microsoft Defender ATP Endpoint Security Extension. This is a pre-requisite for running the extension on your device.
+
+1. Select **Options** > **Privacy Preferences Policy Control**.
+2. Use `com.microsoft.wdav.epsext` as the **Identifier** and `Bundle ID` as **Bundle type**.
+3. Set Code Requirement to `identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9`
+4. Set **App or service** to **SystemPolicyAllFiles** and access to **Allow**.
+
+ 
+
+### Web Content Filtering Policy
+
+A web content filtering policy is needed to run the network extension. Add the following web content filtering policy:
+
+>[!NOTE]
+>Note: JAMF doesn’t have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed.
+>As such, the following steps provide a workaround that involve signing the web content filtering configuration profile.
+
+1. Save the following content to your device as `com.apple.webcontent-filter.mobileconfig`
+
+ ```xml
+
+
+
+ PayloadUUID
+ DA2CC794-488B-4AFF-89F7-6686A7E7B8AB
+ PayloadType
+ Configuration
+ PayloadOrganization
+ Microsoft Corporation
+ PayloadIdentifier
+ DA2CC794-488B-4AFF-89F7-6686A7E7B8AB
+ PayloadDisplayName
+ Microsoft Defender ATP Content Filter
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ PayloadRemovalDisallowed
+
+ PayloadScope
+ System
+ PayloadContent
+
+
+ PayloadUUID
+ 2BA070D9-2233-4827-AFC1-1F44C8C8E527
+ PayloadType
+ com.apple.webcontent-filter
+ PayloadOrganization
+ Microsoft Corporation
+ PayloadIdentifier
+ CEBF7A71-D9A1-48BD-8CCF-BD9D18EC155A
+ PayloadDisplayName
+ Approved Content Filter
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ FilterType
+ Plugin
+ UserDefinedName
+ Microsoft Defender ATP Content Filter
+ PluginBundleID
+ com.microsoft.wdav.daemon
+ FilterSockets
+
+ FilterDataProviderBundleIdentifier
+ com.microsoft.wdav.netext
+ FilterDataProviderDesignatedRequirement
+ identifier "com.microsoft.wdav.netext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
+
+
+
+
+ ```
+
+2. Verify that the above file was copied correctly. From the Terminal, run the following command and verify that it outputs `OK`:
+
+ ```bash
+ $ plutil -lint com.apple.webcontent-filter.mobileconfig
+ com.apple.webcontent-filter.mobileconfig: OK
+ ```
+
+3. Follow the instructions on [this page](https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority) to create a signing certificate using JAMF’s built-in certificate authority
+
+4. After the certificate is created and installed to your device, run the following from the Terminal:
+
+ ```bash
+ $ security cms -S -N "" -i com.apple.webcontent-filter.mobileconfig -o com.apple.webcontent-filter.signed.mobileconfig
+ ```
+
+5. From the JAMF portal, navigate to **Configuration Profiles** and click the **Upload** button. Select `com.apple.webcontent-filter.signed.mobileconfig` when prompted for the file.
+
+## Intune
+
+### Create the Custom Configuration Profile
+
+Save the following content to a file named **sysext.xml**:
+
+```xml
+
+
+
+ PayloadUUID
+ 7E53AC50-B88D-4132-99B6-29F7974EAA3C
+ PayloadType
+ Configuration
+ PayloadOrganization
+ Microsoft Corporation
+ PayloadIdentifier
+ 7E53AC50-B88D-4132-99B6-29F7974EAA3C
+ PayloadDisplayName
+ Microsoft Defender ATP System Extensions
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ PayloadRemovalDisallowed
+
+ PayloadScope
+ System
+ PayloadContent
+
+
+ PayloadUUID
+ 2BA070D9-2233-4827-AFC1-1F44C8C8E527
+ PayloadType
+ com.apple.webcontent-filter
+ PayloadOrganization
+ Microsoft Corporation
+ PayloadIdentifier
+ CEBF7A71-D9A1-48BD-8CCF-BD9D18EC155A
+ PayloadDisplayName
+ Approved Content Filter
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ FilterType
+ Plugin
+ UserDefinedName
+ Microsoft Defender ATP Content Filter
+ PluginBundleID
+ com.microsoft.wdav.daemon
+ FilterSockets
+
+ FilterDataProviderBundleIdentifier
+ com.microsoft.wdav.netext
+ FilterDataProviderDesignatedRequirement
+ identifier "com.microsoft.wdav.netext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
+
+
+ PayloadUUID
+ 56105E89-C7C8-4A95-AEE6-E11B8BEA0366
+ PayloadType
+ com.apple.TCC.configuration-profile-policy
+ PayloadOrganization
+ Microsoft Corporation
+ PayloadIdentifier
+ 56105E89-C7C8-4A95-AEE6-E11B8BEA0366
+ PayloadDisplayName
+ Privacy Preferences Policy Control
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ Services
+
+ SystemPolicyAllFiles
+
+
+ Identifier
+ com.microsoft.wdav.epsext
+ CodeRequirement
+ identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
+ IdentifierType
+ bundleID
+ StaticCode
+ 0
+ Allowed
+ 1
+
+
+
+
+
+ PayloadUUID
+ E6F96207-631F-462C-994A-37A6AD7BDED8
+ PayloadType
+ com.apple.system-extension-policy
+ PayloadOrganization
+ Microsoft Corporation
+ PayloadIdentifier
+ E6F96207-631F-462C-994A-37A6AD7BDED8
+ PayloadDisplayName
+ System Extensions
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ AllowUserOverrides
+
+ AllowedSystemExtensions
+
+ UBF8T346G9
+
+ com.microsoft.wdav.epsext
+ com.microsoft.wdav.netext
+ com.microsoft.wdav.tunnelext
+
+
+
+
+
+
+```
+
+### Deploy the Custom Configuration Profile
+
+To configure the system extensions in Intune:
+
+1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create profile**.
+2. Choose a name for the profile. Change **Platform=macOS** and **Profile type=Custom**. Select **Configure**.
+3. Open the configuration profile and upload sysext.xml. This file was created in the preceding step.
+4. Select **OK**.
+
+ 
+