Defender on macOS - conflicting applications

Brass Contributor

Hello,

I successfully deployed and configured Microsoft Defender on macOS using Mosyle MDM.

However, I see here one conflicting app:

djolenole_0-1718887719545.png

 

MosyleMonitor app is deployed to all machines by default.

I didn't notice any problems in the work of the Defender, nor on the MDM side.

What does this mean? Maybe there was some permission overlap?

 

Thanks

 

 

 

10 Replies

This is definitely issue with Full Disk Access permissions. If I turn off full disk access for MosyleMonitor there is no conflict.

 

Mosyle support:

"The Mosyle Agent is critical to fully enforce profiles and configurations that are deployed. To ensure the agent is always functioning as expected, it contains a built-in service (known as MosyleMonitor)  to prevent any other application or process from pausing or blocking the agent process."

 

I will contact Microsoft support to check if they have any solution for this.

 

 

I have also been wondering about this. Perhaps there is an exclusion path Microsoft recommends. Please let us know what Microsoft support says.

@Tempest62 wouldn't the exclusion path be set on Microsoft Defender and not on Mosyle?  In that sense, you can have Defender not scan that file and just see it as inoccuous.

@EnderGG yes, that is what I was hinting at, just not very well!

@Tempest62@EnderGGI tried with creating exclusion for whole Mosyle folder:
"/Library/Application Support/Mosyle/"
according to this article:
https://learn.microsoft.com/en-us/defender-endpoint/mac-exclusions#supported-exclusion-types

However, there is no change.

It looks like the app conflict is at the system level and this exclusion is for antivirus scan. Am I right?

 

Btw, created 2 tickets for Microsoft support(10 days ago) and there is no response from their side. 

Finally got an answer from Microsoft support. In general, they do not support other 3rd party MDM systems, only Intune and Jamf.
However, they also suggested to create AV exclusion.

"The conflicting_applications field in MDE health report contains a list of applications which are running as Endpoint Security client - (https://developer.apple.com/documentation/endpointsecurity ).
These clients can intercept lots of events from macOS kernel and has ability to allow or deny them."

 

I already created AV exclusion for whole Mosyle folder but there is no change.

djolenole_0-1718808291650.png

 

Same issue here, but I have two conflicting apps.
conflicting_applications : [474("MosyleAOD"), 477("MosyleMonitor")]
Exclusion did not work either...
I didn't notice anything wrong with the current functioning either in Mosyle or on the Defender side, it works for now 🙂
It does indeed, however my OCD kicks in when I see some inconsistencies 🙂
Anyhow - I created ticket to MS - they suggested to reach out to Mosyle support which I did and waiting for reply now.

@djolenole it works but Microsoft should really be providing a more complete answer on how to not have MosyleMonitor clash with its software. They've put out next to no information on what the conflicting_applications feature is or how it operates (https://learn.microsoft.com/en-us/defender-endpoint/mac-preferences) so as is often the case it becomes an exercise left to the reader who then turns to Microsoft support for help. Not really ideal in my opinion.