Microsoft Defender ATP (MDATP)  for macOS hit finally the public preview status. We can now protect our macOS endpoints with cloud based power. I created a little guide about the onboarding process with Microsoft Intune and the user experience.


From a macOS endpoint perspective:

  • macOS version 10.12 (Sierra) or newer
  • No third party endpoint protection installed
  • At least 1GB of free disk space
  • macOS client enrolled in your Intune tenant

If you want to enable macOS enrollment for your Intune tenant - I’ve written a post about the enrollment process.

From a Microsoft 365 perspective:

  • Microsoft Defender ATP license (Windows 10 Enterprise E5)
  • Intune tenant wit macOS enrollment enabled
  • Access to the Microsoft Defender Security Center
  • Appropriate user rights to create and assign an Intune device configuration, LOB App

This post assumes that you perform the tasks and file preparation on a macOS machine.

Preparing the onboarding package and files

Access the Microsoft Defender Security Center and gather the installation and onboarding package:

To deploy the installation package with Microsoft Intune we need the Intune app wrapping tool for macOS which is available here.

Now you should have these three files:

Microsoft Defender ATP source files

Open a terminal and perform the following actions:

  • Make the IntuneAppUtil executable: chmod +x IntuneAppUtil

  • Generate the Intune deployment package: ./IntuneAppUtil -c wdav.pkg -o . -i ""

  • Unzip the onboarding package: unzip we’ll need the files in the unzipped intune folder later

When you have successfully completed the above steps, the file structure looks like this:

Wrapped and unzipped Microsoft Defender ATP files 

Intune portal configuration

In the Intune portal create a custom device configuration to deploy the Microsoft Defender ATP kext.xml (kernel extension). Upload the kext file from the previously extracted zip file which is located in the Intune folder. These kernel extensions will be loaded into the macOS operating system on boot for the Microsoft Defender ATP service.

For the actual onboarding of the macOS machine to your MDATP tenant we need the onboarding configuration “WindowsDefenderATPOnboarding.xml”  which contains encrypted tenant info.  You find the file also in the unzipped  package in the Intune folder. To deploy this file create another custom device configuration and upload the xml file:

To deploy the  Microsoft Defender ATP package create a new LOB (Line-of-business-app) and upload the wrapped *.intunemac file:

Provide the required app information and make sure to set the minimum operation system version to  Sierra as mentioned in the prerequisites:

Furthermore make sure that you assign both device configurations and the LOB app to your targeted Azure AD group.

Resultant macOS experience

After the device configurations were applied a new icon pops up on your macOS device:

MDATP icon on macOS

And here’s a snippet of the main app:

Virus & threat protection status 

To end this post here’s the machine view from the MDATP security dashboard:

macOS machine in the MDATP security dashboard