Manual deployment for Microsoft Defender for Endpoint on macOS

  • Article
  • 5 minutes to read

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

This topic describes how to deploy Microsoft Defender for Endpoint on macOS manually. A successful deployment requires the completion of all of the following steps:

Prerequisites and arrangement requirements

Before you lot get started, meet the main Microsoft Defender for Endpoint on macOS page for a description of prerequisites and system requirements for the current software version.

Download installation and onboarding packages

Download the installation and onboarding packages from Microsoft 365 Defender portal:

  1. In Microsoft 365 Defender portal, get to Settings > Endpoints > Device direction > Onboarding.

  2. In Section 1 of the page, fix operating system to macOS and Deployment method to Local script.

  3. In Section 2 of the page, select Download installation package. Save information technology as wdav.pkg to a local directory.

  4. In Section 2 of the page, select Download onboarding package. Save information technology as WindowsDefenderATPOnboardingPackage.zilch to the same directory.

    The options to download the installation and onboarding packages

  5. From a command prompt, verify that you take the two files.

Application installation (macOS x.15)

To complete this process, you must have admin privileges on the device.

  1. Navigate to the downloaded wdav.pkg in Finder and open it.

    The installation of the application

  2. Select Continue, agree with the License terms, and enter the password when prompted.

    The application installation

    Important

    Yous will be prompted to allow a driver from Microsoft to exist installed (either "System Extension Blocked" or "Installation is on hold" or both. The driver must be immune to be installed.

    The application's installation

  3. Select Open Security Preferences or Open System Preferences > Security & Privacy. Select Allow:

    The Security and privacy window

    The installation proceeds.

    Caution

    If you don't select Permit, the installation will proceed subsequently five minutes. Microsoft Defender for Endpoint volition be loaded, but some features, such as real-time protection, volition be disabled. Meet Troubleshoot kernel extension issues for data on how to resolve this.

Notation

macOS may request to reboot the device upon the first installation of Microsoft Defender for Endpoint. Real-time protection will not be available until the device is rebooted.

Application installation (macOS 11 and newer versions)

To complete this procedure, you must have admin privileges on the device.

  1. Navigate to the downloaded wdav.pkg in Finder and open it.

    The installation process for the application

  2. Select Go on, hold with the License terms, and enter the countersign when prompted.

  3. At the finish of the installation process, you'll be promoted to approve the system extensions used by the product. Select Open Security Preferences.

    The system extension approval

  4. From the Security & Privacy window, select Allow.

    The system extension security preferences1

  5. Echo steps 3 & 4 for all system extensions distributed with Microsoft Defender for Endpoint on Mac.

  6. Every bit part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on Mac inspects socket traffic and reports this information to the Microsoft 365 Defender portal. When prompted to grant Microsoft Defender for Endpoint permissions to filter network traffic, select Allow.

    The system extension security preferences2

  7. Open System Preferences > Security & Privacy and navigate to the Privacy tab. Grant Full Disk Admission permission to Microsoft Defender and Microsoft Defenders Endpoint Security Extension.

    The full disk access

Client configuration

  1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the device where you deploy Microsoft Defender for Endpoint on macOS.

    The client device isn't associated with org_id. Note that the org_id attribute is blank.

                      mdatp health --field org_id

  2. Run the Python script to install the configuration file:

                      /usr/bin/python MicrosoftDefenderATPOnboardingMacOs.py

  3. Verify that the device is now associated with your organization and reports a valid org ID:

                      mdatp wellness --field org_id

    Later on installation, yous'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.

    The Microsoft Defender icon in status bar

How to Allow Full Disk Access

Circumspection

macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are non able to access certain locations on deejay (such equally Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender for Endpoint is not able to fully protect your device.

  1. To grant consent, open System Preferences > Security & Privacy > Privacy > Total Deejay Admission. Click the lock icon to make changes (bottom of the dialog box). Select Microsoft Defender for Endpoint.

  2. Run an AV detection test to verify that the device is properly onboarded and reporting to the service. Perform the post-obit steps on the newly onboarded device:

    1. Ensure that existent-fourth dimension protection is enabled (denoted by a outcome of 1 from running the post-obit command):

                            mdatp wellness --field real_time_protection_enabled

    2. Open a Last window. Copy and execute the post-obit command:

                            curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt

    3. The file should accept been quarantined by Defender for Endpoint on Mac. Use the post-obit command to listing all the detected threats:

                            mdatp threat listing

  3. Run an EDR detection examination to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:

    1. In your browser such as Microsoft Edge for Mac or Safari.

    2. Download MDATP MacOS DIY.cypher from https://aka.ms/mdatpmacosdiy and extract.

      You may exist prompted:

      Do you want to let downloads on "mdatpclientanalyzer.blob.core.windows.cyberspace"?
      You tin alter which websites tin download files in Websites Preferences.

  4. Click Allow.

  5. Open Downloads.

  6. You should run into MDATP MacOS DIY.

    Tip

    If you lot double-click, you will get the following message:

    "MDATP MacOS DIY" cannot be opened because the programmer cannot exist verifier.
    macOS cannot verify that this app is free from malware.
    [Move to Trash] [Abolish]

  7. Click Cancel.

  8. Correct-click MDATP MacOS DIY, and then click Open.

    The system should display the post-obit message:

    macOS cannot verify the programmer of MDATP MacOS DIY. Are yous sure you lot want to open information technology?
    Past opening this app, y'all volition exist overriding system security which can betrayal your reckoner and personal data to malware that may harm your Mac or compromise your privacy.

  9. Click Open.

    The system should display the following bulletin:

    Microsoft Defender for Endpoint - macOS EDR DIY test file
    Corresponding alert will be available in the MDATP portal.

  10. Click Open.

    In a few minutes an alert named "macOS EDR Examination Alert" should be raised.

  11. Go to Microsoft 365 Defender portal (https://security.microsoft.com/).

  12. Become to the Warning Queue.

    An macOS EDR test alert that shows severity, category, detection source, and a collapsed menu of actions

    Look at the alert details and the device timeline, and perform the regular investigation steps.

Logging installation issues

See Logging installation issues for more information on how to find the automatically generated log that is created past the installer when an fault occurs.

Uninstallation

See Uninstalling for details on how to remove Microsoft Defender for Endpoint on macOS from customer devices.