Introduction
Microsoft Defender for Endpoint (MDE) is a unified endpoint security platform that helps protect your organization from advanced threats. MDE provides threat detection, investigation, and response capabilities across Windows, Linux, Android, and macOS devices.
To deploy MDE on macOS devices, you need to install the MDE agent and enroll the devices to the MDE service. You can use Microsoft Intune, a cloud-based device management service, to automate the installation and enrollment process. This blog post explains how to use Intune to achieve zero touch enrollment of MDE on macOS devices.
Prerequisites
Before you start, make sure you have the following:
- User assigned with licenses for MDE and Intune.
- A supported macOS version (three most recent major releases are supported)
The expectation in this blog post is that the device is already enrolled into Intune. It doesn’t cover the Intune enrollment methods and enrollment type doesn’t change the MDE onboarding.
Configuration Steps
The table below lists the mandatory steps for a successful MDE deployment on macOS. The column Purpose in the table calls out required configuration steps, click on each hyperlink to follow the guided instructions from our Learn Docs.
|
Step |
Purpose |
Type |
Reference |
|
1 |
Intune Configuration Profile – Extensions |
Note: If you already have an existing Configuration profile with Bundle Identifier, you may want to merge this together since Apple only supports one. |
|
|
2 |
Intune Configuration Profile - Custom |
|
|
|
3 |
|||
|
4 |
|||
|
5 |
|||
|
6 |
|||
|
7 |
Onboarding Blob |
||
|
8 |
Application - Native Intune |
|
Optional Steps
Additionally, you may want to further customize the MDE configurations. Below are a few suggestions, follow the guided instructions from our Learn Docs.
|
Configuration |
Short Description |
Location |
|
Configure Bluetooth policies for Device Control. (starting macOS 14) |
Intune Custom Configuration Profile |
|
|
Choose between Beta; Preview and Production Channels |
Intune Custom Configuration Profile |
|
|
Configuration settings for AV; Exclusions and EDR. |
Intune Portal or Defender Portal |
|
|
Reduce attack surface from Internet-based events like phishing;exploits;malicious content |
Defender Portal |
|
|
Removable devices controls like allow;block;read;write |
Intune Portal or Defender Portal |
|
|
Purview's DLP Integration with MDE. |
Intune Custom Configuration Profile |
Verification & Monitoring
The MDE agent will be installed and enrolled silently on the macOS devices that you targeted. The agent icon will appear on the macOS desktop menu bar at the top of the screen.
Refer the screenshots below to click on the MDE icon to launch the app and view details.
Additionally, you can verify the installation and enrollment status by launching the Terminal app and execute the following command: “mdatp health”.
The output reports the overall MDE health status including Configs; Definitions; Device/Org IDs. You can refer the [managed] policies from your configurations.
As an IT admin, you can launch Microsoft Defender portal to view the device's health, associated incidents, security recommendations, inventory and discovered vulnerabilities.
- Click on the device for more information.
Other Installation Methods
Intune is one of the deployment tools for MDE, however you can choose other ways to deploy MDE. Below are a few callouts:
Command Line – Manual Deployment
Thanks,
Arnab Mitra
Microsoft
