6.7 KiB
title, description, keywords, search.product, search.appverid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.author, author, ms.localizationpriority, manager, audience, ms.collection, ms.topic
| title | description | keywords | search.product | search.appverid | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.topic |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Enable Microsoft Defender ATP Insider Machine | Install and use Microsoft Defender ATP for Mac. | microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra | eADQiWindows 10XVcnh | met150 | w10 | deploy | library | security | dansimp | dansimp | medium | dansimp | ITPro | M365-security-compliance | conceptual |
Enable Microsoft Defender ATP Insider Machine
Endpoint detection and response capabilities in Microsoft Defender ATP for Mac are now in preview. To get these and other preview features, you must set up your Mac machine to be an "Insider" machine as described in this article. For scale deployment, we recommend using Jamf or Intune.
Important
Make sure you have enabled Microsoft Defender ATP for Mac, and pay attention to the “earlyPreview” flag. See documentation for Jamf, Intune and manual deployment instructions.
Enable the Insider program with Jamf
a. Create configuration profile com.microsoft.wdav.plist with the following content:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>edr</key>
<dict>
<key>earlyPreview</key>
<true/>
</dict>
</dict>
</plist>
b. From the JAMF console, navigate to Computers > Configuration Profiles, navigate to the configuration profile you'd like to use, then select Custom Settings.
c. Create an entry with com.microsoft.wdav as the preference domain and upload the .plist created earlier.
Warning
You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product
Enable the Insider program with Intune
a. Create configuration profile com.microsoft.wdav.plist with the following content:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>edr</key>
<dict>
<key>earlyPreview</key>
<true/>
</dict>
</dict>
</array>
</dict>
</plist>
b. Open Manage > Device configuration. Select Manage > Profiles > Create Profile.
c. Choose a name for the profile. Change Platform=macOS to Profile type=Custom. Select Configure.
d. Save the .plist created earlier as com.microsoft.wdav.xml.
e. Enter com.microsoft.wdav as the custom configuration profile name.
f. Open the configuration profile and upload com.microsoft.wdav.xml. This file was created in step 1.
g. Select OK.
h. Select Manage > Assignments. In the Include tab, select Assign to All Users & All devices.
Warning
You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product.
Enable the Insider program manually on a single machine
In the command prompt, run:
mdatp --edr --early-preview true
Troubleshooting
Verify you are running the correct version
To verify you are running the correct version, run ‘mdatp --health’ on the machine.
- The required version is 100.72.15 or later.
- If the version is not as expected, verify that Microsoft Auto Update is set to automatically download and install updates by running ‘defaults read com.microsoft.autoupdate2’ from terminal.
- To change update settings use documentation in Update Office for Mac automatically.
- If you are not using Office for Mac, download and run the AutoUpdate tool.
A machine still does not appear on Microsoft Defender Security Center
After a successful deployment and onboarding of the correct version, check that the machine has connectivity to the cloud service by running ‘mdatp --connectivity-test’.
- Check that you enabled the early preview flag. In terminal run “mdatp –health” and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”.
If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the manual deployment documentation and use the “Manual Deployment” section in the troubleshoot kernel extension documentation.