I am trying to onboard macOS devices in my organization with Microsoft Defender via Intune, and facing multiple issues with it, the configuration profiles are applied successfully only on few devices, only the first (manually installed) macOS is properly onboarded in Defender, and all of the other ones are complaining about missing license. Could someone answer few questions and maybe give some tips on how can I troubleshoot and resolve this:

1. We have Microsoft 365 Business Premium license, and according to Defender documentation this is a sufficient license to use it on any endpoint device. However the error message on macOS devices states that there is a missing Microsoft Enterprise license.
   Is there a special license needed or is this just the payload configuration profile issue?
2. The kernel extension and onboarding profiles are generated in the Microsoft Defender Admin Center, however I did noticed that the OrgID in the onboarding profile file does not match my TenantID.
   Does that mean that those files are premade and I should adjust them to my organization details or it is simply a different ID assigned? 
3. The onboarding profile gets successfully applied on all devices however the kernel extension profile fails on almost every device, and the successful applications do not follow any pattern or macOS version. Can't really find any suggestions on the possible root cause of this issue.
   Did anyone had similar problems with the kext profile?
4. The Microsoft Defender Admin Center does provide a installation package PKG file. However according to the Defender documentation I should use Microsoft Defender for Endpoint (macOS) application that is ready to be applied directly from Intune Management Portal.
   Which is it? Or maybe both?

Thank you in advance for any tips and / or answers :)