Alternatively, Microsoft Defender can be uninstalled from the command line via this single command (administrative credentials required): sudo rm -rf '/Applications/Microsoft Defender ATP.app'.
- Shop for PC and Mac software including downloads, Small Business Software, Software for Students, Academic Courseware, Computer Security, Education & Reference, Illustration & Design, Operating Systems, and more.
- With the release of Windows Defender for Mac by the Microsoft virus protection team, Apple’s built-in software got themselves a match, or even a formidable rival. At the moment, it’s only available as a preview for enterprise users, but the Windows Defender download will be rolling out to individuals later this year, packaged into the.
Applies to:
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
This topic describes how to install, configure, update, and use Defender for Endpoint on Mac.
Caution
Running other third-party endpoint protection products alongside Microsoft Defender for Endpoint on Mac is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of Defender for Endpoint on Mac EDR functionality after configuring the antivirus functionality to run in Passive mode.
What’s new in the latest release
Tip
If you have any feedback that you would like to share, submit it by opening Microsoft Defender for Endpoint on Mac on your device and navigating to Help > Send feedback.
To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac devices), configure your macOS device running Microsoft Defender for Endpoint to be an 'Insider' device.
How to install Microsoft Defender for Endpoint on Mac
Prerequisites
- A Defender for Endpoint subscription and access to the Microsoft Defender Security Center portal
- Beginner-level experience in macOS and BASH scripting
- Administrative privileges on the device (in case of manual deployment)
Installation instructions
There are several methods and deployment tools that you can use to install and configure Defender for Endpoint on Mac.
- Third-party management tools:
- Command-line tool:
System requirements
The three most recent major releases of macOS are supported.
Important
On macOS 11 (Big Sur), Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on New configuration profiles for macOS Catalina and newer versions of macOS.
Important
Support for macOS 10.13 (High Sierra) has been discontinued as of February 15th, 2021.
- 11 (Big Sur), 10.15 (Catalina), 10.14 (Mojave)
- Disk space: 1GB
Beta versions of macOS are not supported.
macOS devices with M1 processors are not supported.
After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
Licensing requirements
Microsoft Defender for Endpoint on Mac requires one of the following Microsoft Volume Licensing offers:
- Microsoft 365 E5 (M365 E5)
- Microsoft 365 E5 Security
- Microsoft 365 A5 (M365 A5)
Note
Eligible licensed users may use Microsoft Defender for Endpoint on up to five concurrent devices.Microsoft Defender for Endpoint is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it does not require Microsoft Volume Licensing offers listed.
Network connections
The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an allow rule specifically for them.
Spreadsheet of domains list | Description |
---|---|
Spreadsheet of specific DNS records for service locations, geographic locations, and OS. Download the spreadsheet here: mdatp-urls.xlsx. |
Microsoft Defender for Endpoint can discover a proxy server by using the following discovery methods:
- Proxy autoconfig (PAC)
- Web Proxy Autodiscovery Protocol (WPAD)
- Manual static proxy configuration
If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs.
Warning
Authenticated proxies are not supported. Ensure that only PAC, WPAD, or a static proxy is being used.
Sango - tales from the coral cave mac os. SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender for Endpoint on macOS to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
To test that a connection is not blocked, open https://x.cp.wd.microsoft.com/api/report and https://cdn.x.cp.wd.microsoft.com/ping in a browser.
If you prefer the command line, you can also check the connection by running the following command in Terminal:
The output from this command should be similar to the following:
OK https://x.cp.wd.microsoft.com/api/report
OK https://cdn.x.cp.wd.microsoft.com/ping
Caution
We recommend that you keep System Integrity Protection (SIP) enabled on client devices. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default.
Once Microsoft Defender for Endpoint is installed, connectivity can be validated by running the following command in Terminal:
How to update Microsoft Defender for Endpoint on Mac
Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender for Endpoint on Mac, a program named Microsoft AutoUpdate (MAU) is used. To learn more, see Deploy updates for Microsoft Defender for Endpoint on Mac.
How to configure Microsoft Defender for Endpoint on Mac
Guidance for how to configure the product in enterprise environments is available in Set preferences for Microsoft Defender for Endpoint on Mac.
macOS kernel and system extensions
In alignment with macOS evolution, we are preparing a Microsoft Defender for Endpoint on Mac update that leverages system extensions instead of kernel extensions. For relevant details, see What's new in Microsoft Defender for Endpoint on Mac.
Resources
- For more information about logging, uninstalling, or other topics, see Resources for Microsoft Defender for Endpoint on Mac.
- Escape from laville mac os. Privacy for Microsoft Defender for Endpoint on Mac.
Applies to:
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
Important
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Requirements
Device control for macOS has the following prerequisites:
- Microsoft Defender for Endpoint entitlement (can be trial)
- Minimum OS version: macOS 10.15.4 or higher
- Minimum product version: 101.24.59
- Your device must be running with system extensions (this is the default on macOS 11 Big Sur).You can check if your device is running on system extensions by running the following command and verify that it is printing
endpoint_security_extension
to the console: - Your device must be in
Beta
(previously calledInsiderFast
) Microsoft AutoUpdate update channel. For more information, see Deploy updates for Microsoft Defender for Endpoint on Mac.You can check the update channel using the following command:If the above command does not print eitherBeta
orInsiderFast
, execute the following command from the Terminal. The channel update takes effect next time the product starts (when the next product update is installed or when the device is rebooted).Alternatively, if you are in a managed environment (JAMF or Intune), you can configure the update channel remotely. For more information, see Deploy updates for Microsoft Defender for Endpoint on Mac.
Device control policy
House Defender Mac Os X
To configure device control for macOS, you must create a policy that describes the restrictions you want to put in place within your organization.
The device control policy is included in the configuration profile used to configure all other product settings. For more information, see Configuration profile structure.
Within the configuration profile, the device control policy is defined in the following section:
Section | Value |
---|---|
Domain | com.microsoft.wdav |
Key | deviceControl |
Data type | Dictionary (nested preference) |
Comments | See the following sections for a description of the dictionary contents. |
The device control policy can be used to:
Customize URL target for notifications raised by device control
When the device control policy that you have put in place is enforced on a device (for example, access to a removable media device is restricted), a notification is displayed to the user.
When end users click this notification, a web page is opened in the default browser. You can configure the URL that is opened when end users click the notification.
Section | Value |
---|---|
Domain | com.microsoft.wdav |
Key | navigationTarget |
Data type | String |
Comments | If not defined, the product uses a default URL pointing to a generic page explaining the action taken by the product. |
Allow or block removable devices
The removable media section of the device control policy is used to restrict access to removable media.
Note
The following types of removable media are currently supported and can be included in the policy: USB storage devices.
Section | Value |
---|---|
Domain | com.microsoft.wdav |
Key | removableMediaPolicy |
Data type | Dictionary (nested preference) |
Comments | See the following sections for a description of the dictionary contents. |
This section of the policy is hierarchical, allowing for maximum flexibility and covering a wide range of use cases. At the top level are vendors, identified by a vendor ID. For each vendor, there are products, identified by a product ID. Finally, for each product there are serial numbers denoting specific devices.
For information on how to find the device identifiers, see Look up device identifiers.
The policy is evaluated from the most specific entry to the most general one. Meaning, when a device is plugged in, the product tries to find the most specific match in the policy for each removable media device and apply the permissions at that level. If there is no match, then the next best match is applied, all the way to the permission specified at the top level, which is the default when a device does not match any other entry in the policy.
Policy enforcement level
Under the removable media section, there is an option to set the enforcement level, which can take one of the following values:
audit
- Under this enforcement level, if access to a device is restricted, a notification is displayed to the user, however the device can still be used. This enforcement level can be useful to evaluate the effectiveness of a policy.block
- Under this enforcement level, the operations that the user can perform on the device are limited to what is defined in the policy. Furthermore, a notification is raised to the user.
Section | Value |
---|---|
Domain | com.microsoft.wdav |
Key | enforcementLevel |
Data type | String |
Possible values | audit (default) block |
Default permission level
At the top level of the removable media section, you can configure the default permission level for devices that do not match anything else in the policy.
This setting can be set to:
none
- No operations can be performed on the device- A combination of the following values:
read
- Read operations are permitted on the devicewrite
- Write operations are permitted on the deviceexecute
- Execute operations are permitted on the device
Note
If
none
is present in the permission level, any other permissions (read
, write
, or execute
) will be ignored.Note
The
execute
permission only refers to execution of Mach-O binaries. It does not include execution of scripts or other types of payloads.Remove Mac Defender
Section | Value |
---|---|
Domain | com.microsoft.wdav |
Key | permission |
Data type | Array of strings |
Possible values | none read write execute |
Restrict removable media by vendor, product, and serial number
As described in Allow or block removable devices, removable media such as USB devices can be identified by the vendor ID, product ID, and serial number.
At the top level of the removable media policy, you can optionally define more granular restrictions at the vendor level.
The
vendors
dictionary contains one or more entries, with each entry being identified by the vendor ID.Section | Value |
---|---|
Domain | com.microsoft.wdav |
Key | vendors |
Data type | Dictionary (nested preference) |
For each vendor, you can specify the desired permission level for devices from that vendor.
Section | Value |
---|---|
Domain | com.microsoft.wdav |
Key | permission |
Data type | Array of strings |
Possible values | Same as Default permission level |
Furthermore, you can optionally specify the set of products belonging to that vendor for which more granular permissions are defined. The
products
dictionary contains one or more entries, with each entry being identified by the product ID.Section | Value |
---|---|
Domain | com.microsoft.wdav |
Key | products |
Data type | Dictionary (nested preference) |
For each product, you can specify the desired permission level for that product.
Section | Value |
---|---|
Domain | com.microsoft.wdav |
Key | permission |
Data type | Array of strings |
Possible values | Same as Default permission level |
Furthermore, you can specify an optional set of serial numbers for which more granular permissions are defined.
The
serialNumbers
dictionary contains one or more entries, with each entry being identified by the serial number.Section | Value |
---|---|
Domain | com.microsoft.wdav |
Key | serialNumbers |
Data type | Dictionary (nested preference) |
For each serial number, you can specify the desired permission level.
Section | Value |
---|---|
Domain | com.microsoft.wdav |
Key | permission |
Data type | Array of strings |
Possible values | Same as Default permission level |
Example device control policy
The following example shows how all of the above concepts can be combined into a device control policy. In the following example, note the hierarchical nature of the removable media policy.
We have included more examples of device control policies in the following documents:
Look up device identifiers
To find the vendor ID, product ID, and serial number of a USB device:
- Log into a Mac device.
- Plug in the USB device for which you want to look up the identifiers.
- In the top-level menu of macOS, select About This Mac.
- Select System Report.
- From the left column, select USB.
- Under USB Device Tree, navigate to the USB device that you plugged in.
- The vendor ID, product ID, and serial number are displayed. When adding the vendor ID and product ID to the removable media policy, you must only add the part after
0x
. For example, in the below image, vendor ID is1000
and product ID is090c
.
Discover USB devices in your organization
You can view mount, unmount, and volume change events originating from USB devices in Microsoft Defender for Endpoint advanced hunting. These events can be helpful to identify suspicious usage activity or perform internal investigations.
Device control policy deployment
The device control policy must be included next to the other product settings, as described in Set preferences for Microsoft Defender for Endpoint on macOS.
Defender Mac Os
This profile can be deployed using the instructions listed in Configuration profile deployment.
Troubleshooting tips
After pushing the configuration profile through Intune or JAMF, you can check if it was successfully picked up by the product by running the following command from the Terminal:
This command will print to standard output the device control policy that the product is using. In case this prints
Policy is empty
, make sure that (a) the configuration profile has indeed been pushed to your device from the management console, and (b) it is a valid device control policy, as described in this document.On a device where the policy has been delivered successfully and where there are one or more devices plugged in, you can run the following command to list all devices and the effective permissions applied to them.
House Defender Mac Os Download
Example of output:
In the above example, there is only one removable media device plugged in and it has
read
and execute
permissions, according to the device control policy that was delivered to the device.