As part of our commitment to provide the best in market endpoint protection to our customers, we strive to ensure that Microsoft Defender ATP for Mac evolves in lock step with the macOS platform. We are also committed to minimizing security agent related friction as organizations migrate to the next major macOS version. Apple is shifting away from kernel extensions, starting with macOS 11 Big Sur. In alignment with Apple’s strategy, public preview is now open for Microsoft Defender ATP for Mac implementation that leverages the new system extensions instead of kernel extensions.
How will the system extensions-based update be delivered?
The system extensions-based version of Microsoft Defender ATP for Mac will be delivered to all macOS devices via the existing Microsoft AutoUpdate (MAU) channel.
Refer to our system extensions-based update documentation for additional update related details and how to determine if a device is running the new version based on system extensions.
After successfully deploying and activating the update, the on-device experience will remain unchanged.
What devices are eligible for the system extensions-based update?
To experience the new system extensions-based implementation during public preview, you’ll need to have preview features turned on in the Microsoft Defender Security Center. If you have not yet opted into previews, we encourage you to turn on preview features in the Microsoft Defender Security Center today.
Prior to the general availability of macOS 11 Big Sur, the new system extensions-based code path can be activated on devices running macOS Catalina version 10.15.4 or later and registered for the InsiderFast MAU update channel.
Once macOS 11 Big Sur is generally available, the new system extensions-based implementation will be activated on all devices running macOS 11.
How to prepare for activation of the system extensions-based update
To ensure that the Microsoft Defender ATP for Mac system extensions-based update is delivered and applied seamlessly from an end-user experience perspective, a new remote configuration must be deployed to all eligible macOS devices before the new code path is activated. If the configuration is not deployed prior to the activation of the new Microsoft Defender ATP for Mac agent implementation, end-users will be presented with a series of system dialogs asking to grant the agent all necessary permissions associated with the new system extensions. Refer to our system extensions-based update documentation to learn in detail what to expect without applying the new remote configuration.
Benefits of taking action ahead of broader update applicability
The new Microsoft Defender ATP for Mac system extension-based implementation is currently only applicable to devices running macOS version 10.15.4 or later and in InsiderFast MAU ring. However, deploying configuration proactively across the entire macOS fleet ensures that all Mac devices are prepared for macOS 11 Big Sur on its release day. It also ensures that Microsoft Defender ATP for Mac continues protecting all macOS devices immediately post-upgrade to Big Sur. The new remote configuration is supplemental to any prior Microsoft Defender ATP for Mac configuration and will have no adverse effect on devices that still run the kernel extension-based version.
We invite you to monitor the What's new in Microsoft Defender ATP for Mac page for upcoming announcements (including general availability of the system extensions-based update).
We welcome your feedback and look forward to hearing from you!
You can submit feedback by opening Microsoft Defender ATP for Mac on your device and navigating to Help > Send feedback. Another option is to submit feedback via the Microsoft Defender Security Center.
If you’re not yet taking advantage of Microsoft’s industry leading optics and detection capabilities, sign up for free trial of Microsoft Defender ATP today.
Helen Allas
Microsoft Defender ATP team