Mac: Microsoft Defender ATP Endpoint

The Microsoft Defender for Mac client is named "Microsoft Defender ATP". 

Defender Onboarding (manual)

  1. Navigate to the Microsoft Security Center Onboarding section.
  2. Set the Operating System as MacOS and the download type as "Local Script".
  3. Download both the Installation Package (wdav.pkg) and the installation script (WindowsDefenderATPOnboardingPackage.zip).
  4. On a target computer, run the .pkg installer. Then open Terminal to run the Client Configuration section. 
  5. After completing the Microsoft documentation, run the following command from the Terminal to set your department's tag: 
    • mdatp edr tag set --name GROUP --value DEPT

Defender Onboarding through Jamf

  1. Go to the Security Center and navigate to the MS Doc on Defender Onboarding. 
  2. Create all of the individual Configuration Profiles per the Microsoft Documentation.
  3. Prefix all of your Profiles with "DEPT" so we can tell them apart in the console.
  4. The default settings are fully functional.
  • Onboarding Package - Follow instructions from MS documentation. The file downloaded from the Microsoft Security console includes UB's unique Site ID. 
  • Endpoint Settings - Follow instructions from MS documentation. Before saving the XML provided by Microsoft, find the section for "key = GROUP value=ExampleTag", and change "ExampleTag" to your department's four-character Group ID for Defender.
code showing exampletag.

Notification - Follow MS documentation. You may alter the Critical Alerts and Notifications settings to suit your user experience needs. 

Auto update - Follow instructions from MS documentation. This configuration will apply to all applications that use Microsoft AutoUpdate for Mac, including Microsoft Office apps. 

Disk Access - No action necessary. This configuration is already applied to all Macs in UB's Jamf instance. 

Kernel Extension - No action necessary. This configuration is already applied to all Macs in UB's Jamf instance. 

System Extension - No action necessary. This configuration is already applied to all Macs in UB's Jamf instance. 

Network Extension - No action necessary. This configuration is already applied to all Macs in UB's Jamf instance. 

Scheduled scans - TBD. Either modify the provided .plist and create your own launchd; or write it as a Script and apply with a Policy on some interval.  

Deploy Microsoft Defender for Endpoint -

  1. Create a new Policy.
  2. Add the Packages payload, and add the latest version of the Microsoft Defender client package. New versions will be uploaded to the Jamf server as they become available, so check your software deployment Policies regularly to ensure you are installing a currect version.
  3. Once installed, Defender will update itself through the Auto Update settings.
  4. You can also use Jamf Patch Management to monitor and update your client versions. 
'UBIT Uninstall Symantec Endpoint pkg.