Microsoft Defender ATP (MDATP) for macOS hit finally the public preview status. We can now protect our macOS endpoints with cloud based power. I created a little guide about the onboarding process with Microsoft Intune and the user experience.
From a macOS endpoint perspective:
- macOS version 10.12 (Sierra) or newer
- No third party endpoint protection installed
- At least 1GB of free disk space
- macOS client enrolled in your Intune tenant
If you want to enable macOS enrollment for your Intune tenant - I’ve written a post about the enrollment process.
From a Microsoft 365 perspective:
- Microsoft Defender ATP license (Windows 10 Enterprise E5)
- Intune tenant wit macOS enrollment enabled
- Access to the Microsoft Defender Security Center
- Appropriate user rights to create and assign an Intune device configuration, LOB App
This post assumes that you perform the tasks and file preparation on a macOS machine.
Preparing the onboarding package and files
Access the Microsoft Defender Security Center and gather the installation and onboarding package:
To deploy the installation package with Microsoft Intune we need the Intune app wrapping tool for macOS which is available here.
Now you should have these three files:
Open a terminal and perform the following actions:
Make the IntuneAppUtil executable:
chmod +x IntuneAppUtil
Generate the Intune deployment package:
./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav"
Unzip the onboarding package:
unzip WindowsDefenderATPOnboardingPackage.zipwe’ll need the files in the unzipped intune folder later
When you have successfully completed the above steps, the file structure looks like this:
Intune portal configuration
In the Intune portal create a custom device configuration to deploy the Microsoft Defender ATP kext.xml (kernel extension). Upload the kext file from the previously extracted zip file which is located in the Intune folder. These kernel extensions will be loaded into the macOS operating system on boot for the Microsoft Defender ATP service.
For the actual onboarding of the macOS machine to your MDATP tenant we need the onboarding configuration “WindowsDefenderATPOnboarding.xml” which contains encrypted tenant info. You find the file also in the unzipped package in the Intune folder. To deploy this file create another custom device configuration and upload the xml file:
To deploy the Microsoft Defender ATP package create a new LOB (Line-of-business-app) and upload the wrapped *.intunemac file:
Provide the required app information and make sure to set the minimum operation system version to Sierra as mentioned in the prerequisites:
Furthermore make sure that you assign both device configurations and the LOB app to your targeted Azure AD group.
Resultant macOS experience
After the device configurations were applied a new icon pops up on your macOS device:
And here’s a snippet of the main app:
To end this post here’s the machine view from the MDATP security dashboard: