Understanding Device Control for macOS in Defender for Endpoint
Step-by-step implementation guide Requirements for Implementing Device Control: Defender for Endpoint or Defender for Business licenses (can be a trial subscription) Minimum OS version: macOS 11 or higher Minimum product version: 101.34.20 The implications of these requirements are that first, the macOS devices need to be onboarded in Defender for Endpoint for the Device Control policies to be enforced, secondly the OS needs to be at certain level or higher and third the minimum product version required, implies that the Defender app needs to be installed on the macOS device. Another aspect to take into consideration is that Defender can be running in active or passive mode for Device Control to work. Check the feature comparison table in this article to view how the Defender for Endpoint features behave when Defender is running active or passive mode. For this guide, I would like to focus on how we implement the policies for Device Control on macOS devices using Microsoft Intune. When deploying Device Control using Microsoft Intune, you have the advantage of using a native platform that integrates with Defender XDR portal and EntraID. Integrating device control into this broader security framework is crucial for maintaining a robust defense against potential threats. Considerations for Device Control to be effective and allow a smooth onboarding of devices: Your MacOS devices must be running at least macOS 11.x or higher. You will need a Microsoft365 subscription to be able to license your devices for Defender for Endpoint. To access and use Removable Storage Access Control, you must have Microsoft 365 E3 or E5. The Defender app needs to be installed and licensed (the device went through the onboarding process) on the macOS device. The main difference between Windows OS devices and macOS devices is that in Windows OS, the Defender application is part of the core OS and in macOS it needs to be installed as a regular application you can install on the device, preferably through Microsoft Intune. After the devices are onboarded in Defender for Endpoint, the devices will appear in EntraID as a synthetic object, meaning that you will see the “join type” field as blank. This allows you to group these devices in EntraID dynamic groups to automate the app deployment process. To enable devices to get endpoint security management settings from either Microsoft Intune or Defender portal, you need to enable to configure your tenant to support Defender for Endpoint security settings management. Older versions of Mac devices’ hardware, as long as they can support macOS 11.x or higher, can run the feature. The performance of the feature will depend on how the hardware performs, due to the fact that it is an outdated device. In order to apply device control policies, the device needs to be onboarded in Defender for Endpoint. Just applying the .mobileconfig file directly to the device or the .json file if using JAMF will not cause any effect on the device. To learn more about the .mobileconfig file and .json file, please refer to these articles. .mobileconfig and .json files. One of the key differences with Device control implementation in other operating systems like macOS is that the configuration is done via Microsoft Intune device configuration profile. This experience is not yet available in Defender portal. This guide applies for macOS devices managed by Intune. To further understand the pre-requisites for Device Control for macOS on Defender for Endpoint, please refer to this article. Process of deploying Defender for Endpoint app on macOS to prepare for device control policies Now, after you get all the pre-requisites aligned and ready to go, it is time to start preparing the environment in Intune for Device Control. Configuration Steps Install Microsoft Defender for Endpoint on macOS: Ensure that Microsoft Defender for Endpoint is installed and running on your macOS devices. You can follow the installation guide available on the Microsoft Learn website. This process is described in Fig.1 2. Build the MobileConfig File: Create a mobileconfig file that includes the necessary groups, rules, and settings for device control. You can use the demo file available on GitHub as a reference:. This file serves as a useful starting point for developing how the policy should function on the device. Validate your policy with the JSON schema to ensure the format is correct: https://github.com/microsoft/mdatp-devicecontrol/device_control_policy_schema.json 3. Deploy the MobileConfig File Using Intune: Sign in to the Microsoft Intune admin center and navigate to Devices > macOS. Select 'Create profile', choose 'Templates', and then 'Custom'. Upload the mobileconfig file you created in the previous step Configure Device Control Policies: Open the Microsoft Intune admin Center and navigate to the Device configuration section. Create a new policy for macOS devices. Specify the types of devices you want to control (e.g., USB drives, external hard drives). Set the permissions for each device type. You can choose to allow, block, or restrict access based on various criteria such as device ID, vendor ID, or serial number. 5. Deploy the Policy: Once the policy is configured, deploy it to the targeted macOS devices. Ensure that the devices are connected to the internet and can receive policy updates from the Microsoft Defender portal or Microsoft Intune. 6. Monitor and Manage Devices: Use the Microsoft Defender portal to monitor the status of connected devices. You can view the Device control report in Defender portal to track device usage and identify any unauthorized access attempts. You can also perform advanced hunting in Defender portal to monitor when a policy was triggered. Below I list a couple of KQL queries that can help with this monitoring. Example 1: Discover if the removable storage policy was triggered: Note: Before running, check spaces and syntax of the query is ok after copying and pasting the query in Advanced Hunting, to prevent errors. //RemovableStoragePolicyTriggered: event triggered by Disk and file system level enforcement for both Printer and Removable storage based on your policy DeviceEvents | where ActionType == "RemovableStoragePolicyTriggered" | extend parsed=parse_json(AdditionalFields) | extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess) | extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict) | extend MediaBusType = tostring(parsed.BusType) | extend MediaClassGuid = tostring(parsed.ClassGuid) | extend MediaClassName = tostring(parsed.ClassName) | extend MediaDeviceId = tostring(parsed.DeviceId) | extend MediaInstanceId = tostring(parsed.DeviceInstanceId) | extend MediaName = tostring(parsed.MediaName) | extend RemovableStoragePolicy = tostring(parsed.RemovableStoragePolicy) | extend MediaProductId = tostring(parsed.ProductId) | extend MediaVendorId = tostring(parsed.VendorId) | extend MediaSerialNumber = tostring(parsed.SerialNumber) |project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, RemovableStorageAccess, RemovableStoragePolicyVerdict, MediaBusType, MediaClassGuid, MediaClassName, MediaDeviceId, MediaInstanceId, MediaName, RemovableStoragePolicy, MediaProductId, MediaVendorId, MediaSerialNumber, FolderPath, FileSize | order by Timestamp desc Example 2: This query interrogates the DeviceEvents table, searching for “PnP” (Plug n Play) types of action. The field Additional fields provides essential information about the device ClassGUID and what .inf files are part of the driver stack used to perform the action. DeviceEvents | where ActionType contains "PnP" | where Timestamp > ago(30d) | project ActionType, DeviceName, InitiatingProcessAccountUpn, InitiatingProcessAccountDomain, IsProcessRemoteSession, AdditionalFields // the Additional Fields field shows the DeviceGUID, ClassGUID, driver information, etc. In conclusion: In today's fast-paced and mobile-driven world, device control stands out as an essential security feature for organizations and individuals alike. By enabling device control, businesses can ensure a seamless protection experience, safeguarding sensitive data against unauthorized access or potential threats posed by removable and portable devices. Its cross-platform functionality, spanning Windows, macOS, and beyond, highlights its adaptability and relevance in a diverse technological landscape. Furthermore, device control fosters a proactive approach to cybersecurity, by enabling device control, organizations can proactively safeguard sensitive data and mitigate risks before they escalate. Enabling this feature not only strengthens your security posture but also demonstrates a commitment to protecting the integrity and privacy of your systems in an increasingly unpredictable digital ecosystem. Explore additional resources: To further enhance your understanding of the critical role Device Control plays in safeguarding your organization, explore these indispensable resources on Defender for Endpoint. Empower yourself with the knowledge to proactively secure sensitive data, mitigate risks, and stay ahead in an ever-evolving digital landscape. How to deploy Defender app to macOS endpoints using Intune. Implementing device control on macOS guidelines. Defining settings on your mobileconfig file. Best practices to deploy device control for macOS on Defender for Endpoint. FAQ about device control on macOS. How to deploy device control from Defender for Endpoint using JAMF.
AWS Chime based apps (Slack or 3CX) calls drop-out - Only on Intune enrolled MacOS 15 + MS Defender
Hi Intune_Support_Team , I have recently come across with an Issue. Issue: Call Dropout, Network freeze on AV Calls for Apps / Platforms Description: I have noticed this issue on only MacOS Devices enrolled on Intune; that are later updated to MacOS15 Sequioa using Intune policy Mac Update policy + MS Defender for Endpoint Enrolled, with MS Defender Network Filter added to the list, hangs / freezes AV calls for 2-3 seconds like a network glitch on Slack Huddles. This also happens on 3CX Telephone app in bit different way as 3CX agent's audio is not heard by far-end Customer. Both of these only happens on Device upgraded to MacOS 15 + Defender + Network Filter with just Slack and 3CX. Google Meet, Zoom, Teams works well. NOTE : Compared to a Device which is not on Intune /Defender with MacOS 15 Slack Huddle and 3CX is a Charm. I also tried initially to look into Apple MacOS bugs, didnt find much, then raised a request to Slack Support, In Response I got this Hi there Swapnil, Thanks for contacting Slack support. What is happening here is that users are losing media connectivity to the huddles server, causing them to drop and then be reconnected. This can happen for a number of reasons, but if you've recently updated to macOS 15 Sequoia, there is a macOS networking bug which is highly likely to be the cause in this case (https://support.apple.com/en-au/102281). The issue is as follows: Overall the connection may be completely fine. Suddenly the media connection to the huddles server stops completely (even if the rest of the internet connection is fine). After the huddles server detects a period of no data being sent/received, it forces the client to reconnect to the huddle. This can help for some time but it may eventually repeat again through each huddle. Unfortunately in each case we cannot help explain the exact underlying cause is as it occurs on the end of each users network environment. In your case however, if users are experiencing the issue after upgrading to macOS 15, the aforementioned networking bug is the most likely cause. Normally the causes of these kinds of issues are as follows: Firewall or other network configuration closing websockets media connections. The macOS Sequoia bug causes this specific kind of problem. Overzealous modem/router throttling media connections. ISP throttling media connections. On the another response they also mentioned about something is probably not right with MS Defender Network Filter blocking out traffic for AWS Chime Server. Hi Swapnil, Thanks for your reply. Because there are so many variables we aren't going to be tracking this on our side. One thing I would say is that you should just be sure that there are no third party dependencies in your macOS environment which might be in need of an update. I'll give you a random example: Organisations using the Zscaler client connector would have encountered a variation of this issue (https://help.zscaler.com/client-connector/firewall-posture-check-failure-macos-sequoia). The macOS updates alone would not have addressed it, Zscaler needed to issue an update to their client connector software. Until users were running the Zscaler client with the relevant fix, no amount of system updates would have prevented them from running into the compatibility issue. So all I am saying is that you should be keeping an eye out for updates to both macOS and any relevant 3rd party dependencies - it's possible you will need to take manual action in some way first. The public facing macOS updates tend to be quite vague, so it is probably best to start with MS Defender and any other relevant 3rd party configurations before waiting on a macOS update to ultimately fix the issue. You may also prefer to pre-emptively seek confirmation from their respective support services so you know exactly what your next steps are. I hope this gives you a better idea on how to approach the issue and plan for updates Swapnil, and apologies I couldn't provide more guidance. After reading about this I tried to dig little more and understood, 3CX is also using AWS Chime A/V Servers. My users are stuck and losing their Slack Huddles which is day to day quick AV. Any insightful info on this one will be helpful. Thanks Swapnil email address removed for privacy reasons
MacOS Defender and Full Disk Access
Working on deploying Defender on MacOS via intune...most of it is solid, however I noticed "Microsoft Defender Endpoint Security Extension" doesnt have full disk access and needs it...the native "Microsoft Defender" has it ok...its deployed as the option for Defender under MacOS and not a LOB...anyone else run into this?Defender for Endpoint AMA: The next evolution of automatic attack disruption
Defenders need every edge they can get in the fight against ransomware. We're excited to share that Microsoft Defender for Endpoint customers will now be able automatically to disrupt human-operated attacks like ransomware early in the kill chain without needing to deploy any other capabilities. Join our AMA to ask questions on how you can use automatic attack disruption to stop a sophisticated attack early in the kill chain and how your organization can leverage unique protective capabilities offered exclusively by Microsoft 365 Defender. An AMA is a live text-based online event similar to an "Ask Me Anything," on Reddit. This AMA gives you the opportunity to connect with members of the Defender for Endpoint product group who will be on hand to answer your questions and listen to feedback. Feel free to post your questions about Defender for Endpoint anytime in the comments before the event starts, although the team will only be answering questions during the live hour.
Defender Antivirus and Microsoft Defender for Endpoint (ATP) for Servers
Hi All, Our company is looking into migrating our antivirus solution for our server estate from Sophos to Microsoft Defender Antivirus and Microsoft Defender for Endpoint (ATP). Was hoping to get some advice on the best way to approach this. I have listed some points below which I was hoping to get some clarity on. - Servers that are considered as “down-level devices” that do not have MS Defender preinstalled by default i.e. 2008R2, 2012 and 2012R2 what would the best Microsoft solution to provide security. Have been looking at Microsoft’s System Center Endpoint Protection (SCEP) as a solution. Is there any services that can be used from Azure to protect on-prem servers? - We have a Hybrid Azure AD setup. None of our on-premise servers are HAADJ. Do we need to have server as a Azure resource for us to manage Defender AV and ATP (Server 2016 +). We currently manage our W10 workstation using the MEM - Microsoft Defender for Endpoint Baseline. - Majority of our servers do not have any internet access. To tighten the firewall rule, is there a list of IPs and URLs that are associated with Defender ATP so the servers can only communicate to these IPs etc. - Is there any pre-req work needed for servers such as 2008R2, 2012 and 2012R2 before on-boarding to ATP. Install updates, telemetry services updates etc - Anyone that is using defender ATP for servers that are on-prem. What type of setup do you have and any recommendations. Thank you MoIntune Android Enterprise Fully Managed Defender for Endpoint activation
Hi All, Scenario: Intune > Android > Fully Managed profile > Defender for Endpoint deployment Is there any way to reach a zero-touch / silent method for activating Defender for Endpoint on Android devices ? Users currently need to run through a series of questions to activate it and until they do it does not show up in the Security portal Inventory. We are using a Compliance policy based on machine risk score to identify devices which haven't activated Defender - this marks them non-compliant until they do. I'd rather use a deployment/policy to activate Defender silently without any user intervention. As it is a security product on Android Enterprise Fully Managed devices it seems I must be missing a trick here to manage them without user involvement and blocking the user via a non-compliant conditional access policy seems an inefficient way to resolve the issue for everyone. Is it possible ? Many thanks Jas.
