Forum Discussion

macmacadm's avatar
macmacadm
Copper Contributor
Oct 23, 2024

macOS network extension / content filter

Hey, got a mystery to solve.

We're using Intune and Defender as our MDM/antivirus setup in the company.

Defender is deployed via Intune with custom plist files like in the docs:
https://learn.microsoft.com/en-us/defender-endpoint/mac-install-with-intune
Used ones are now:
-Approve extensions
-Full Disk Access
-Background services
-Notifications
-Onboarding package

After recent problems with network extensions in macOS Sequoia 15.* we decided to resign from Network filter (network extension) at all.
We were deploying Network filter profile before (but we were not using it, cause we don't use web content filtering at all and it's disabled both in Defender and network protection is disabled in antivirus policy at Intune Endpoint security | Antivirus -> Policy).

For some reason despite deleting network extension as approved extension and no existing netfilter profile in Intune.... network extension is being installed on the endpoints and network filter is still showing up at endpoints requiring to allow content filtering (if you choose Don't allow it popups miliion times). How to stop it from being installed and force do be allowed?

Does Defender requires network extension (com.microsoft.wdav.netext) for something else to work properly apart from web content filtering? Why is it still being pushed to the stations?

Need some guidance, tips, tricks, I'm running out of ideas.

  • LasseNilsson1's avatar
    LasseNilsson1
    Copper Contributor

    macmacadm 

     

    Hi. Just wanted to say that we got the exact same problem. Hopefully someone got an idea how to fix this

     

    //Lasse

    • macmacadm's avatar
      macmacadm
      Copper Contributor

      The only thing I've found is to push it with filter, but turn it off later with a script.

      #!/bin/bash
      #set -x
      sudo mdatp system-extension network-filter disable


      You can check it's installed, but disabled with:
      mdatp health --details system_extensions.

      However the script works locally, I can't make it work when pushed via Intune, it succeeds, but not making any changes to network filter for some reason.

      • LasseNilsson1's avatar
        LasseNilsson1
        Copper Contributor
        I tried that too, and it works, but then the Popup comes right a way asking the user for Allow or not

Resources