Blog Post

Microsoft Defender for Endpoint Blog
5 MIN READ

Network Protection and Web Protection for macOS and Linux

NickWelton's avatar
NickWelton
Icon for Microsoft rankMicrosoft
Aug 17, 2022

Over the last two years, the world has dramatically changed both in our daily lives and how companies conduct business. In the pre-pandemic world, eroding network boundaries and the maturity of SaaS applications precipitated endpoint-first design. The pandemic and post-pandemic era demand it, the world is embracing hybrid workplaces and zero trust postures.

 

When we first launched Network Protection for Windows and built powerful Web Protection and Microsoft Defender for Cloud Apps (MDA) capabilities on top of it, we knew our vision to bring you our proxy-less endpoint first architecture would remain incomplete until we delivered for macOS and Linux. That day has arrived, and we could not be more excited to share that Network and Web Protection for macOS is now Generally Available and in Public Preview for Linux!

 

Network Protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.

 

It is the foundation on which our Web Protection for Microsoft Defender for Endpoint is built. These capabilities include Web threat protectionWeb content filtering, and IP/URL Custom indicators. Web protection enables you to secure your devices against web threats and helps to regulate unwanted content.

 

Network protection also integrates Microsoft Defender for Endpoint with Defender for Cloud Apps natively. Currently, the integration for macOS and Linux only supports endpoint enforcement capabilities.

How to evaluate Network Protection and the features it enables:

 

Explore Network Protection on macOS

 

For Network Protection for macOS to be active on your devices, Network Protection must be enabled by your organization. We suggest deploying the audit or block mode policy to a small set of devices and verify there are no issues or broken workstreams before gradually deploying to a larger set of devices.

 

Prerequisites & Requirements  

  • Licensing: Microsoft Defender for Endpoint tenant (can be trial) 
  • Onboarded Machines: 
    • Minimum macOS version: 11 (Big Sur)
    • MDE product version: 101.94.13

Once the prerequisites have been met, follow installation and configuration instructions in Use network protection to help prevent macOS connections to bad sites | Microsoft Docs

 

Here is how the experience looks on macOS: 

 

 

Explore Network Protection on Linux

 

Prerequisites & Requirements  

Once the prerequisites have been met, follow installation and configuration instructions in Use network protection to help prevent Linux connections to bad sites | Microsoft Docs

 

How do I verify my Mac/Linux device is configured properly?

  1. Navigate to https://smartscreentestratings2.net/ which will block the browser from loading the page. On macOS an accompanying toast message will also be shown.

 On Linux the connection will be disallowed as shown below. There will be no accompanying toast message in Linux:

 

Alternatively, you can also test this from the Terminal by running the following command and noticing that the connection is blocked by the Network Protection: 

curl https://smartscreentestratings2.net

 

How do I explore the features?

  1. Protect your organization against web threats | Microsoft Docs
    1. Web threat protection is part of Web protection in Microsoft Defender for Endpoint. It uses network protection to secure your devices against web threats.
  2. Run through the IP/URL Custom Indicators of Compromise flow to get blocks on the Custom Indicator type. 
  3. Explore Web content filtering | Microsoft Docs 
    1. Note: if you are removing a policy or changing device groups at the same time, this might cause a delay in policy deployment.
    2. Pro Tip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy.
  4. Integrate Microsoft Defender for Endpoint with Cloud App Security | Microsoft Docs and your Linux and macOS devices with Network Protection enabled will have endpoint policy enforcement capabilities.

Note: Discovery and other features are currently not supported on macOS and Linux platforms.

 

 

 

 

On device experience 

When an end user attempts to access monitored domains on macOS/Linux, their navigation effort will be audited/blocked (depending on Network Protection policy). On macOS, the user will also be informed by Microsoft Defender for Endpoint via toast.

 

 

macOS

The user will get a plain block experience accompanied by the following toast message which will be displayed by the operating system including the name of the blocked application or website (e.g Blogger.com)  

 

No block pages are shown in third-party browsers, and the user sees a "Secure Connection Failed' page along with a toast notification. Depending on the policy responsible for the block, a user will see a different message in the toast notification. For example, web content filtering will display the message 'This content is blocked'.

 

 

 We are looking forward to hearing your feedback and answering any questions you may have!

 

Reference Documents

Microsoft Defender for Endpoint on Mac documentation - Microsoft Defender for Endpoint on Mac | Microsoft Docs 

Microsoft Defender for Endpoint on Linux documentation - Microsoft Defender for Endpoint on Linux | Microsoft Docs

About Microsoft Defender for Endpoint Network Protection - Use network protection to help prevent connections to bad sites | Microsoft Docs 

About Microsoft Defender for Endpoint Network Protection on Linux - Use network protection to help prevent Linux connections to bad sites | Microsoft Docs

About Microsoft Defender for Endpoint Network Protection on macOS - Use network protection to help prevent macOS connections to bad sites | Microsoft Docs

Enable Network Protection - Turn on network protection | Microsoft Docs

Web Protection - Web protection | Microsoft Docs 

Custom Indicators - Create indicators | Microsoft Docs 

Web Content Filtering (WCF) - Web content filtering | Microsoft Docs 

Microsoft Defender for Cloud Apps - Integrate Microsoft Defender for Endpoint with Cloud App Security | Microsoft Docs 

Edge Browser Setup - https://www.microsoft.com/en-us/edge/features 

 

Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense in a single unified platform. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free trial of Microsoft Defender for Endpoint today.

Microsoft Defender for Endpoint team

Updated Jun 29, 2023
Version 8.0