So, you've been deploying MDE to your Windows devices for some time now and you've finally got to a point where you need to deploy it to the Apple macOS devices in your fleet, but where to start? In this blog post I will run through the steps I take for deploying MDE to macOS devices, along with some supplied configurations to make your life easier, because everyone likes an easy life.
I'm going to start from the beginning as if this were a new tenant setup for MDE deployment, so it might be that you can skip some steps.
Update your devices
Ensuring your devices are fully up to date is always important but particularly when deploying MDE to macOS that is because the configurations are slightly different for macOS 13 (Ventura) - My advice is to get everything up to the latest version which as of writing is macOS 13. Microsoft only support MDE on the three most recent major releases of macOS.
Plan for legacy AV removal
As the caution suggests you could come unstuck if MDE is deployed and you already have a solution in place. You should assess whatever is currently in place and formulate a plan for removal before deployment of MDE. As part of this guide and on my GitHub, I will provide a script that I used to remove ESET from devices after onboarding to Intune.
Plan for Corporate/BYOD
This one is going to be dependent on your requirements, but if there is an intention to have personal and corporate devices you may only want to dpeloy MDE to some or all of them. I usually create either dynamic device groups or filters to help with this, my recommendation is to use filters where possible.
Setup Defender
Start by logging into https://security.microsoft.com/ and enabling your MDE instance, this can usually be done by selecting Devices from the Endpoints pane in the left-hand menu, you'll get a page advising you that the instance is being configured, then just wait for it to finish (it can take a while but usually no more than an hour).
Technically, this is all that's needed for macOS deployment but it's worth doing the next few checks while you are here.
Once that is complete, you'll have access to the Endpoints settings within the Defender portal. The list of service settings here are outside the scope of this blog but for the most part you'll want to have the majority enabled except potentially Live Response unsigned script execution, if you want to learn more about the service settings in this portal, see here: How to configure Microsoft Defender for Endpoint (jeffreyappel.nl) - The key one here is to make sure you have the Microsoft Intune connection toggle enabled.
Next, head over to the Intune portal and navigate to Tenant administration -> Connectors and tokens -> Microsoft Defender for Endpoint and just confirm the connection status is enabled. If you are going to be onboarding other operating systems, it's also worthwhile enabling the compliance policy evaluation toggles as well - Just remember to ignore the top toggle for Endpoint Security Profile Settings unless you know what you are doing with it - You can find more about that particular setting here: Managing Microsoft Defender for Endpoint with the new Security Management feature in MEM/Intune (jeffreyappel.nl)
You can review the Microsoft documentation and prerequisites here: Microsoft Defender for Endpoint on Mac | Microsoft Learn
Download the onboarding package
Now time to get into it! From the M365 Defender portal, go to Settings -> Endpoints -> Device Management -> Onboarding.
Set the OS dropdown to macOS and the deployment method to Intune then download the onboarding package.
Extract the downloaded zip file and make sure you have a file named WindowsDefenderATPOnboarding.xml in the intune folder, you'll need this next.
Now head over to Intune and create a custom configuration profile.
Give the profile a name such as MDE onboarding for macOS and a suitable description, then continue.
Provide a name for the configuration profile name, this will be the name visible under the Profiles setting on macOS so make sure you name it appropriately - I tend to go with the same name as the config profile.
Choose Device channel for your Deployment channel and then upload the onboarding xml file you previously downloaded.
Click through to assignments and then assign to your required group, in my case I am going to apply to All Devices, you could scope it further with filters or dynamic groups.
Here's where I make your life nice and easy, head to my GitHub page here: GitHub - NateHutch365/MDE
Download the zip.
Inside the two folders you will have everything you need to finish the setup and all files can be imported using the Intune Manager tool found here: GitHub - Micke-K/IntuneManagement: Copy, export, import, delete, document and compare policies and profiles in Intune and Azure with PowerShell script and WPF UI. Import ADMX files and registry settings with ADMX ingestion. View and edit PowerShell script.
Fire it up and sign into your M365 tenant.
Select Settings Catalog on the left and then import the files from that folder that you have downloaded.
Select Import to load 'em in!
Now do the same for the Device Configuration settings.
And voila!
Now, keep in mind that if you have specific requirements around configuration you may want to update these custom configurations by editing the plist files within them. The one's provided here are the Intune recommended configurations provided by Microsoft with the addition of enabling Network Protection as well (we'll test this in the blog also).
It's also worth noting that you can deploy the Antivirus settings using the Endpoint Security profiles in Intune, they are in PREVIEW currently and I will be updating my GitHub with profiles of this type in due course. If you decide to use this method, you will not need to deploy the profile labelled macOS - Preferences - Configuration Settings for MDE.
Remember to go into each profile and assign them to your required device groups.
The next job is to publish the app itself, which can easily be done via Intune. Head to Apps -> macOS -> Add.
Click through the setup keeping everything default and then assign to your device groups, again I have deployed to All Devices.
Legacy AV removal
We talked about this already and for good reason - Your end users are probably going to have a really bad time if you deploy MDE and it's not in Passive mode and they already have another AV in place. I hope my previous mention means you have already removed the old AV or better yet, have a handy script in place to remove it right before MDE gets deployed?
Well, in my case we needed to remove either ESET Antivirus or ESET Security product from the machines so I put together a handy script that you can find here if you are using this product also, and yes there is also a json you can import using Intune Manager, if you prefer 😁. The script is very simple and will look for either product, run the uninstaller and then remove any leftover files.
This method works really because it means you have a minimal gap between removal of the old AV and deployment of MDE, in our scenario we will be onboarding using Company Portal but, in most cases, scripts will run before deployment of profiles so in my case ESET comes off and MDE goes straight on.
Enroll devices
If you already have devices enrolled to Intune you've likely already deployed MDE following the steps but if not all that is left is to get them managed via either Apple Business Manager or manual enrollment via Company Portal. In this scenario we are going to use Company Portal to perform a personal enrollment.
If you don't have any Apple devices enrolled yet, you will need to configure an Apple MDM Push certificate.
Follow the steps here to download Company Portal and enroll to Intune: Enroll your Mac with Intune Company Portal | Microsoft Learn
Once your device has been enrolled and assuming you have targeted your profiles correctly you should start to see your profiles come in along with the deployment of MDE. In my test deployment for this blog MDE was on and up to date in less than 60 seconds (I have seen it take a bit longer, especially if you are deploying M365 apps using Intune as well).
If we open Defender we can see that the following settings are managed by the organisation.
In addition, if we check Profiles within System Settings we can see all the Intune profiles we are deploying.
It's worth mentioning with this configuration it is possible for users to add their own exclusions to Defender, if you want to block this you must configure the exclusionsMergePolicy key in the macOS - Preferences - Configuration Settings for MDE profile - Set preferences for Microsoft Defender for Endpoint on Mac | Microsoft Learn
EDR Testing
When deploying a solution like Defender for Endpoint it is imperative that you test your configuration to make sure it works as expected, thankfully Microsoft provide a few methods to test.
Run a detection test using the well-known eicar txt file by opening a Terminal window and typing in:
curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt This should block the download and generate an alert in the Defender portal.
Network Protection Testing
If you navigate to https://smartscreentestratings2.net/ on the macOS device you should see a message that states Failed to open page this is Web threat protection kicking in (think SmartScreen for Windows) similarly if you are using Defender for Cloud Apps, Web Content Filtering or Custom Indicators this should allow those configurations to pull through.
More info on configuring Network Protection for macOS can be found here: Use network protection to help prevent macOS connections to bad sites | Microsoft Learn
Hopefully, this guide will help get you up and running with MDE on macOS quickly, till next time! 😁✌️