macOS MDE Microsoft Defender for Endpoint intune

macOS Management with Intune - Part II

Part two of the macOS management series, and we will configure the policies & profiles for silent onboarding of mac OS devices in Microsoft Defender for Endpoint along with pushing the Company Portal app on the device. Before creating any macOS policy, let us first configure MDE. Log in to

6 min read
macOS Management with Intune - Part II

Part two of the macOS management series, and we will configure the policies & profiles for silent onboarding of mac OS devices in Microsoft Defender for Endpoint along with pushing the Company Portal app on the device.


Before creating any macOS policy, let us first configure MDE. Log in to Security Center and enable the connection for Defender. I will use MDE as an enterprise security platform for securing corporate devices.


Configure Microsoft Defender for Endpoint in Intune

The first step is to set up the communication between Intune and Microsoft Defender for Endpoint:

  1. In Microsoft 365 Defender; Select Settings > Endpoints > Advanced features.
  1. For Microsoft Intune connection, choose On:
  1. Return to Microsoft Defender for the Endpoint page in the Intune portal, and the connector status should be “Enabled.”

Deploy Microsoft Defender for Endpoint on macOS

Deployment of MDE on your macOS devices is a bit complicated process. You will first need to download the onboarding package, approve the extension and then configure a few more policies. The below five steps are required for onboarding your macOS in MDE:

  1. Download the onboarding package
  2. Client device setup
  3. Approve system extensions
  4. Create System Configuration profiles
  5. Publish application

Download the Onboarding Package

  1. In Microsoft 365 Defender portal, go to Settings > Endpoints > Device management > Onboarding.
  1. Set the operating system to macOS and the deployment method to Mobile Device Management / Microsoft Intune.
  1. Select Download onboarding package. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
  1. Extract the contents of the .zip file

The zip contains the onboarding files for MDM solutions. But as we are using Intune as an MDM solution, so will focus on the folder named “Intune”.


Create System Configuration profiles

As the next step, we will create configuration profiles for Microsoft Defender for Endpoint. The steps are as below:

  1. Log in to Intune portal, navigate to Devices > macOS Devices > Configuration profiles > Create Profile.
  1. Select Profile type as Templates and Template name as Custom. Click Create.
  1. Give the profile a name and click Next.
  1. Choose “Device” as the deployment channel and select WindowsDefenderATPOnboarding.xml in the “Intune” folder that we extracted from the onboarding package above as a configuration profile file.
  1. Click Next.
  1. Assign devices on the Assignment tab. Click Next.

Approve System Extensions

Now, we need to create a profile so that the extensions in the onboarding file are approved in the system context.

  1. Select Create Profile under Configuration Profiles.
  1. Select Platform as macOS, Profile type as Templates and the Template name as Extensions. Click create.
  1. In the Basics tab, give a name to this new profile.
  1. In the Configuration settings tab, expand System Extensions and add the following entries in the Allowed system extensions section:
Bundle identifierTeam identifier
com.microsoft.wdav.epsextUBF8T346G9
com.microsoft.wdav.netextUBF8T346G9

Full Disk Access

By default, the new versions of macOS do not allow applications to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicitly granting that app’s permission. Microsoft defender is also no exception; without this consent, it will not be able to protect the device fully.

This profile grants Full Disk Access to Microsoft Defender for Endpoint.

  1. Download the config file from mdatp-xplat/fulldisk.mobileconfig at master · microsoft/mdatp-xplat · GitHub and save it as fulldisk.mobileconfig
  1. Log in to Intune portal, navigate to Devices > macOS Devices > Configuration profiles > Create Profile.
  1. Select Profile type as Templates and Template name as Custom. Click Create.
  1. Give the profile a name and click Next.
  1. Choose “Device” as the deployment channel and select the fulldisk.mobileconfig that we downloaded in step 1.

Network Filter

This profile configures the Endpoint Detection and Response (EDR) capabilities for Microsoft Defender to inspect socket traffic and report this information to the security center. Configuring this policy allows the network extension to perform this functionality.

Download the config file Network Config file and repeat the same steps to create a custom profile.


Notifications

This profile will allow Microsoft Defender for Endpoint on macOS and Microsoft Auto Update to display notifications in UI on macOS.

Download the config file notif.mobileconfig file and repeat the same steps to create a custom profile.

Background Services

This configuration profile grants Background Service permissions to Microsoft Defender for Endpoint. macOS 13 (Ventura) contains new privacy enhancements. Beginning with this version, by default, applications cannot run in background without explicit consent. Microsoft Defender for Endpoint must run its daemon process in background.

Download the config file background_services.mobileconfig file and repeat the same steps to create a custom profile.


This is how your portal might look like once you have created all these profiles for MDE:


Deploy MDE to macOS Devices

Now we have completed all the pre-work for Microsoft Defender for Endpoint, its time to publish the app to devices:

  1. Login to Intune portal and navigate to Apps > macOS > and select the app type as Microsoft Defender for Endpoint (macOS).
  1. Keep default values, click Next and assign it to the Device group.

It is not completed yet…There are still two more configurations remaining:

  1. Install Quick Scan settings for MDE
  2. Enable quick scan settings for MDE

Navigate to Devices > macOS > Shell Scripts, upload the two scripts below, and assign them to the same device group to which the MDE policies were assigned.


Add macOS Company Portal App

There are multiple ways of pushing the Company Portal to macOS devices:

However, for now, I will walk you through the app deployment on supervised devices and would recommend deploying Company Portal using shell script. The company portal will be downloaded and installed using the macOS Shell Scripts feature. This option will always install the current version of Company Portal for macOS but lacks the option of reporting app installation.

  1. Download the Intune Company Portal Installation Script.
  1. Login to Intune portal and navigate to Devices > macOS > Shell Scripts.
  1. Set Run script as “signed-in user” to No. This enforces the script to run in the system context.
  1. Set the Maximum number of retries if the script fails to 3.
  1. Assign the script to the device group.

It has been a long post, and I will end it here. In the next part of the series, I will cover device enrollment using Modern Authentication, some mandatory restrictions that you should have on the MacBooks and finally, publishing M365 apps, certificates and VPN.

Stay In(tuned) and be #intuneinspired

Share This Post

Check out these related posts

Early Bird Gets the Worm: Testing iOS 18 & macOS 15 (Beta) Devices with Intune

Platform SSO for macOS: A Deep Dive into Configuration & Troubleshooting

Application Inventory: The Unsung Hero of macOS Security