As we continue to invest in Microsoft Defender for Endpoint capabilities for macOS, we are thrilled to announce the public preview of Tamper Protection for macOS devices.
Tamper Protection brings an additional layer of protection in Microsoft Defender for Endpoint to elevate the endpoint security posture of organizations. Reliably securing endpoints is crucial for any organization. Enhanced tamper resilience across prevalent platforms is a great advantage for organizations seeking to continuously enhance their endpoint security.
What is the Tamper Protection scope and prerequisites?
High level scope of Tamper Protection for macOS is:
Prevention of unauthorized removal of Microsoft Defender for Endpoint on macOS
Prevention of tampering with Microsoft Defender for Endpoint files, processes, and configuration
Tamper protection for macOS can be set to “disabled”, “audit”, “block”
Tamper protection setting applies at device level (across all users of a device).
When planning to roll out this feature, there are some key considerations and requirements to follow to ensure a successful implementation.
To experience the Tamper Protection for macOS capability in public preview, you’ll need to have preview features turned on in the Microsoft 365 Defender portal. If you have not yet opted into previews, we encourage you to turn on preview features in the Microsoft 365 Defender portal today.
IMPORTANT: While Tamper Protection capability is still in preview, ensure to only enable Tamper Protection on a designated testing group (devices, profiles, smart groups).
Know before you start:
Supported macOS versions: Monterey (12), Big Sur (11), Catalina (10.15+)
Minimum required version for Defender for Endpoint: 101.49.25
Mobile device management (MDM) solution to configure Microsoft Defender for Endpoint on Mac
How to enable Tamper Protection for macOS?
There are several tools and methods you can use to enable the Tamper Protection feature. The common Mac MDM solutions can be used to deploy a remote configuration that controls Tamper Protection mode. The remote configuration takes precedence over any conflicting local on-device configuration.