May 30 2024 02:26 AM - edited Jun 20 2024 05:48 AM
Hello,
I successfully deployed and configured Microsoft Defender on macOS using Mosyle MDM.
However, I see here one conflicting app:
MosyleMonitor app is deployed to all machines by default.
I didn't notice any problems in the work of the Defender, nor on the MDM side.
What does this mean? Maybe there was some permission overlap?
Thanks
Jun 06 2024 11:32 PM
This is definitely issue with Full Disk Access permissions. If I turn off full disk access for MosyleMonitor there is no conflict.
Mosyle support:
"The Mosyle Agent is critical to fully enforce profiles and configurations that are deployed. To ensure the agent is always functioning as expected, it contains a built-in service (known as MosyleMonitor) to prevent any other application or process from pausing or blocking the agent process."
I will contact Microsoft support to check if they have any solution for this.
Jun 07 2024 07:55 AM - edited Jun 11 2024 01:49 PM
I have also been wondering about this. Perhaps there is an exclusion path Microsoft recommends. Please let us know what Microsoft support says.
Jun 11 2024 01:39 PM
@Tempest62 wouldn't the exclusion path be set on Microsoft Defender and not on Mosyle? In that sense, you can have Defender not scan that file and just see it as inoccuous.
Jun 11 2024 01:50 PM
Jun 11 2024 11:39 PM - edited Jun 11 2024 11:50 PM
@Tempest62@EnderGGI tried with creating exclusion for whole Mosyle folder:
"/Library/Application Support/Mosyle/"
according to this article:
https://learn.microsoft.com/en-us/defender-endpoint/mac-exclusions#supported-exclusion-types
However, there is no change.
It looks like the app conflict is at the system level and this exclusion is for antivirus scan. Am I right?
Btw, created 2 tickets for Microsoft support(10 days ago) and there is no response from their side.
Jun 19 2024 07:45 AM
Finally got an answer from Microsoft support. In general, they do not support other 3rd party MDM systems, only Intune and Jamf.
However, they also suggested to create AV exclusion.
"The conflicting_applications field in MDE health report contains a list of applications which are running as Endpoint Security client - (https://developer.apple.com/documentation/endpointsecurity ).
These clients can intercept lots of events from macOS kernel and has ability to allow or deny them."
I already created AV exclusion for whole Mosyle folder but there is no change.
Jun 20 2024 05:31 AM
Jun 20 2024 05:44 AM
Jun 20 2024 06:06 AM
Jun 20 2024 06:21 AM
@djolenole it works but Microsoft should really be providing a more complete answer on how to not have MosyleMonitor clash with its software. They've put out next to no information on what the conflicting_applications feature is or how it operates (https://learn.microsoft.com/en-us/defender-endpoint/mac-preferences) so as is often the case it becomes an exercise left to the reader who then turns to Microsoft support for help. Not really ideal in my opinion.