Microsoft Defender Advanced Threat Protection For Mac Download

-->

Key Features; Integration with Windows Security Center. Microsoft and Bitdefender are collaborating to integrate Bitdefender’s GravityZone Cloud with Microsoft’s Windows Defender Advanced Threat Protection and enable Microsoft customers to detect, view, investigate, and respond to advanced cyber-attacks and data breaches on macOS and Linux-based endpoints within the WDATP Management. The Microsoft Defender Advanced Threat Protection (ATP) endpoint security platform now provides users with a new report designed to help them keep track of vulnerable Windows and macOS devices.

Important

Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.

Important

In preparation for macOS 11 Big Sur, we are getting ready to release an update to Microsoft Defender ATP for Mac that will leverage new system extensions instead of kernel extensions. Apple will stop supporting kernel extensions starting macOS 11 Big Sur version. Therefore an update to the Microsoft Defender ATP for Mac agent is required on all eligible macOS devices prior to moving these devices to macOS 11.

The update is applicable to devices running macOS version 10.15.4 or later.

To ensure that the Microsoft Defender ATP for Mac update is delivered and applied seamlessly from an end-user experience perspective, a new remote configuration must be deployed to all eligible macOS devices before Microsoft publishes the new agent version. If the configuration is not deployed prior to the Microsoft Defender ATP for Mac agent update, end-users will be presented with a series of system dialogs asking to grant the agent all necessary permissions associated with the new system extensions.

Timing:

Microsoft Defender Advanced Threat Protection For Mac Download
  • Organizations that previously opted into Microsoft Defender ATP preview features in Microsoft Defender Security Center, must be ready for Microsoft Defender ATP for Mac agent update by August 10, 2020.
  • Organizations that do not participate in public previews for Microsoft Defender ATP features, must be ready by September 07, 2020.

Action is needed by IT administrator. Review the steps below and assess the impact on your organization:

  1. Deploy the specified remote configuration to eligible macOS devices before Microsoft publishes the new agent version.
    Even though Microsoft Defender ATP for Mac new implementation based on system extensions is only applicable to devices running macOS version 10.15.4 or later, deploying configuration proactively across the entire macOS fleet will ensure that even down-level devices are prepared for the day when Apple releases macOS 11 Big Sur and will ensure that Microsoft Defender ATP for Mac continues protecting all macOS devices regardless OS version they were running prior to the Big Sur upgrade.

  2. Refer to this documentation for detailed configuration information and instructions: New configuration profiles for macOS Catalina and newer versions of macOS.

  3. Monitor this page for an announcement of the actual release of MDATP for Mac agent update.

101.10.72

  • Bug fixes

101.09.61

  • Added a new managed preference for disabling the option to send feedback
  • Status menu icon now shows a healthy state when the product settings are managed. Previously, the status menu icon was displaying a warning or error state, even though the product settings were managed by the administrator
  • Performance improvements & bug fixes

101.09.50

  • This product version has been validated on macOS Big Sur 11 beta 9

    Important

    Extensive testing of MDE (Microsoft Defender for Endpoint) with new macOS system extensions revealed an intermittent issue that impacts macOS devices with specific graphic cards models. In rare cases on impacted macOS devices calls into macOS system extensions were seen resulting in kernel panic. Microsoft is actively working with Apple engineering to clarify profile of impacted devices and to address this macOS issue.

  • The new syntax for the mdatp command-line tool is now the default one. For more information on the new syntax, see Resources for Microsoft Defender ATP for Mac

    Note

    The old command-line tool syntax will be removed from the product on January 1st, 2021.

  • Extended mdatp diagnostic create with a new parameter (--path [directory]) that allows the diagnostic logs to be saved to a different directory

  • Performance improvements & bug fixes

101.09.49

  • User interface improvements to differentiate exclusions that are managed by the IT administrator versus exclusions defined by the local user
  • Improved CPU utilization during on-demand scans
  • Performance improvements & bug fixes

101.07.23

  • Added new fields to the output of mdatp --health for checking the status of passive mode and the EDR group ID

    Note

    mdatp --health will be replaced with mdatp health in a future product update.

  • Fixed a bug where automatic sample submission was not marked as managed in the user interface

  • Added new settings for controlling the retention of items in the antivirus scan history. You can now specify the number of days to retain items in the scan history and specify the maximum number of items in the scan history

  • Bug fixes

101.06.63

  • Addressed a performance regression introduced in version 101.05.17. The regression was introduced with the fix to eliminate the kernel panics some customers have observed when accessing SMB shares. We have reverted this code change and are investigating alternative ways to eliminate the kernel panics.

101.05.17

Important

We are working on a new and enhanced syntax for the mdatp command-line tool. The new syntax is currently the default in the Insider Fast and Insider Slow update channels. We encourage you to famliliarize yourself with this new syntax.

We will continue supporting the old syntax in parallel with the new syntax and will provide more communication around the deprecation plan for the old syntax in the upcoming months.

  • Addressed a kernel panic that occurred sometimes when accessing SMB file shares
  • Performance improvements & bug fixes

101.05.16

  • Improvements to quick scan logic to significantly reduce the number of scanned files
  • Added autocompletion support for the command-line tool
  • Bug fixes

101.03.12

  • Performance improvements & bug fixes

101.01.54

  • Improvements around compatibility with Time Machine
  • Accessibility improvements
  • Performance improvements & bug fixes

101.00.31

  • Improved product onboarding experience for Intune users
  • Antivirus exclusions now support wildcards
  • Added the ability to trigger antivirus scans from the macOS contextual menu. You can now right-click a file or a folder in Finder and select Scan with Microsoft Defender ATP
  • In-place product downgrades are now explicitly disallowed by the installer. If you need to downgrade, first uninstall the existing version and reconfigure your device
  • Other performance improvements & bug fixes

100.90.27

  • You can now set an update channel for Microsoft Defender ATP for Mac that is different from the system-wide update channel
  • New product icon
  • Other user experience improvements
  • Bug fixes

100.86.92

  • Improvements around compatibility with Time Machine
  • Addressed an issue where the product was sometimes not cleaning all files under /Library/Application Support/Microsoft/Defender during uninstallation
  • Reduced the CPU utilization of the product when Microsoft products are updated through Microsoft AutoUpdate
  • Other performance improvements & bug fixes

100.86.91

Caution

To ensure the most complete protection for your macOS devices and in alignment with Apple stopping delivery of macOS native security updates to OS versions older than [current – 2], MDATP for Mac deployment and updates will no longer be supported on macOS Sierra [10.12]. MDATP for Mac updates and enhancements will be delivered to devices running versions Catalina [10.15], Mojave [10.14], and High Sierra [10.13].

If you already have MDATP for Mac deployed to your Sierra [10.12] devices, please upgrade to the latest macOS version to eliminate risks of losing protection.

  • Performance improvements & bug fixes

100.83.73

  • Added more controls for IT administrators around management of exclusions, management of threat type settings, and disallowed threat actions
  • When Full Disk Access is not enabled on the device, a warning is now displayed in the status menu
  • Performance improvements & bug fixes

100.82.60

  • Addressed an issue where the product fails to start following a definition update.

100.80.42

  • Bug fixes

100.79.42

  • Fixed an issue where Microsoft Defender ATP for Mac was sometimes interfering with Time Machine
  • Added a new switch to the command-line utility for testing the connectivity with the backend service
  • Added ability to view the full threat history in the user interface (can be accessed from the Protection history view)
  • Performance improvements & bug fixes

100.72.15

  • Bug fixes

100.70.99

  • Addressed an issue that impacts the ability of some users to upgrade to macOS Catalina when real-time protection is enabled. This sporadic issue was caused by Microsoft Defender ATP locking files within Catalina upgrade package while scanning them for threats, which led to failures in the upgrade sequence.

100.68.99

  • Added the ability to configure the antivirus functionality to run in passive mode
  • Performance improvements & bug fixes

100.65.28

  • Added support for macOS Catalina

    Caution

    macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.

    The mechanism for granting this consent depends on how you deployed Microsoft Defender ATP:

    • For manual deployments, see the updated instructions in the Manual deployment topic.
    • For managed deployments, see the updated instructions in the JAMF-based deployment and Microsoft Intune-based deployment topics.
  • Performance improvements & bug fixes

-->

Important

Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.

Windows Defender Advanced Threat Protection Download

Applies to:

This page will guide you through the steps you need to take to set up macOS policies in Jamf Pro.

You'll need to take the following steps:

Step 1: Get the Microsoft Defender ATP onboarding package

  1. In Microsoft Defender Security Center, navigate to Settings > Onboarding.

  2. Select macOS as the operating system and Mobile Device Management / Microsoft Intune as the deployment method.

  3. Select Download onboarding package (WindowsDefenderATPOnboardingPackage.zip).

  4. Extract WindowsDefenderATPOnboardingPackage.zip.

  5. Copy the file to your preferred location. For example, C:UsersJaneDoe_or_JohnDoe.contosoDownloadsWindowsDefenderATPOnboardingPackage_macOS_MDM_contosojamfWindowsDefenderATPOnboarding.plist.

Step 2: Create a configuration profile in Jamf Pro using the onboarding package

  1. Locate the file WindowsDefenderATPOnboarding.plist from the previous section.

  2. In the Jamf Pro dashboard, select New.

  3. Enter the following details:

    General

    • Name: MDATP onboarding for macOS
    • Description: MDATP EDR onboarding for macOS
    • Category: None
    • Distribution Method: Install Automatically
    • Level: Computer Level
  4. In Application & Custom Settings select Configure.

  5. Select Upload File (PLIST file) then in Preference Domain enter: com.microsoft.wdav.atp.

  6. Select Open and select the onboarding file.

  7. Select Upload.

  8. Select the Scope tab.

  9. Select the target computers.

  10. Select Save.

  11. Select Done.

Step 3: Configure Microsoft Defender ATP settings

  1. Use the following Microsoft Defender ATP configuration settings:

    • enableRealTimeProtection
    • passiveMode

    Note

    Not turned on by default, if you are planning to run a third-party AV for macOS, set it to true.

    • exclusions
    • excludedPath
    • excludedFileExtension
    • excludedFileName
    • exclusionsMergePolicy
    • allowedThreats

    Note

    EICAR is on the sample, if you are going through a proof-of-concept, remove it especially if you are testing EICAR.

    • disallowedThreatActions
    • potentially_unwanted_application
    • archive_bomb
    • cloudService
    • automaticSampleSubmission
    • tags
    • hideStatusMenuIcon

    For information, see Property list for Jamf configuration profile.

  2. Save the file as MDATP_MDAV_configuration_settings.plist.

  3. In the Jamf Pro dashboard, select General.

  4. Enter the following details:

    General

    • Name: MDATP MDAV configuration settings
    • Description:<blank>
    • Category: None (default)
    • Distribution Method: Install Automatically(default)
    • Level: Computer Level(default)
  5. In Application & Custom Settings select Configure.

  6. Select Upload File (PLIST file).

  7. In Preferences Domain, enter com.microsoft.wdav, then select Upload PLIST File.

  8. Select Choose File.

  9. Select the MDATP_MDAV_configuration_settings.plist, then select Open.

  10. Select Upload.

    Note

    If you happen to upload the Intune file, you'll get the following error:

  11. Select Save.

  12. The file is uploaded.

  13. Select the Scope tab.

  14. Select Contoso's Machine Group.

  15. Select Add, then select Save.

  16. Select Done. You'll see the new Configuration profile.

Step 4: Configure notifications settings

These steps are applicable of macOS 10.15 (Catalina) or newer.

  1. Download notif.mobileconfig from our GitHub repository

  2. Save it as MDATP_MDAV_notification_settings.plist.

  3. In the Jamf Pro dashboard, select General.

  4. Enter the following details:

    General

    • Name: MDATP MDAV Notification settings
    • Description: macOS 10.15 (Catalina) or newer
    • Category: None (default)
    • Distribution Method: Install Automatically(default)
    • Level: Computer Level(default)
  5. Select Upload File (PLIST file).

  6. Select Choose File > MDATP_MDAV_Notification_Settings.plist.

  7. Select Open > Upload.

  8. Select the Scope tab, then select Add.

  9. Select Contoso's Machine Group.

  10. Select Add, then select Save.

  11. Select Done. You'll see the new Configuration profile.

Step 5: Configure Microsoft AutoUpdate (MAU)

  1. Use the following Microsoft Defender ATP configuration settings:

  2. Save it as MDATP_MDAV_MAU_settings.plist.

  3. In the Jamf Pro dashboard, select General.

  4. Enter the following details:

    General

    • Name: MDATP MDAV MAU settings
    • Description: Microsoft AutoUpdate settings for MDATP for macOS
    • Category: None (default)
    • Distribution Method: Install Automatically(default)
    • Level: Computer Level(default)
  5. In Application & Custom Settings select Configure.

  6. Select Upload File (PLIST file).

  7. In Preference Domain enter: com.microsoft.autoupdate2, then select Upload PLIST File.

  8. Select Choose File.

  9. Select MDATP_MDAV_MAU_settings.plist.

  10. Select Upload.

  11. Select Save.

  12. Select the Scope tab.

  13. Select Add.

  14. Select Done.

Step 6: Grant full disk access to Microsoft Defender ATP

  1. In the Jamf Pro dashboard, select Configuration Profiles.

  2. Select + New.

  3. Enter the following details:

    General

    • Name: MDATP MDAV - grant Full Disk Access to EDR and AV
    • Description: On macOS Catalina or newer, the new Privacy Preferences Policy Control
    • Category: None
    • Distribution method: Install Automatically
    • Level: Computer level
  4. In Configure Privacy Preferences Policy Control select Configure.

  5. In Privacy Preferences Policy Control, enter the following details:

    • Identifier: com.microsoft.wdav
    • Identifier Type: Bundle ID
    • Code Requirement: identifier 'com.microsoft.wdav' and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
  6. Select + Add.

    • Under App or service: Set to SystemPolicyAllFiles

    • Under 'access': Set to Allow

  7. Select Save (not the one at the bottom right).

  8. Click the + sign next to App Access to add a new entry.

  9. Enter the following details:

    • Identifier: com.microsoft.wdav.epsext
    • Identifier Type: Bundle ID
    • Code Requirement: identifier 'com.microsoft.wdav.epsext' and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = UBF8T346G9
  10. Select + Add.

    • Under App or service: Set to SystemPolicyAllFiles

    • Under 'access': Set to Allow

  11. Select Save (not the one at the bottom right).

  12. Select the Scope tab.

  13. Select + Add.

  14. Select Computer Groups > under Group Name > select Contoso's MachineGroup.

  15. Select Add.

  16. Select Save.

  17. Select Done.

Step 7: Approve Kernel extension for Microsoft Defender ATP

  1. In the Configuration Profiles, select + New.

  2. Enter the following details:

    General

    • Name: MDATP MDAV Kernel Extension
    • Description: MDATP kernel extension (kext)
    • Category: None
    • Distribution Method: Install Automatically
    • Level: Computer Level
  3. In Configure Approved Kernel Extensions select Configure.

  4. In Approved Kernel Extensions Enter the following details:

    • Display Name: Microsoft Corp.
    • Team ID: UBF8T346G9
  5. Select the Scope tab.

  6. Select + Add.

  7. Select Computer Groups > under Group Name > select Contoso's Machine Group.

  8. Select + Add.

  9. Select Save.

  10. Select Done.

Step 8: Approve System extensions for Microsoft Defender ATP

  1. In the Configuration Profiles, select + New.

  2. Enter the following details:

    General

    • Name: MDATP MDAV System Extensions
    • Description: MDATP system extensions
    • Category: None
    • Distribution Method: Install Automatically
    • Level: Computer Level
  3. In System Extensions select Configure.

  4. In System Extensions enter the following details:

    • Display Name: Microsoft Corp. System Extensions
    • System Extension Types: Allowed System Extensions
    • Team Identifier: UBF8T346G9
    • Allowed System Extensions:
      • com.microsoft.wdav.epsext
      • com.microsoft.wdav.netext
  5. Select the Scope tab.

  6. Select + Add.

  7. Select Computer Groups > under Group Name > select Contoso's Machine Group.

  8. Select + Add.

  9. Select Save.

  10. Select Done.

Microsoft Defender Advanced Threat Protection

Step 9: Configure Network Extension

As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.

Note

JAMF doesn’t have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed.As such, the following steps provide a workaround that involve signing the configuration profile.

  1. Download netfilter.mobileconfig from our GitHub repository to your device and save it as com.microsoft.network-extension.mobileconfig

  2. Follow the instructions on this page to create a signing certificate using JAMF’s built-in certificate authority

  3. After the certificate is created and installed to your device, run the following command from the Terminal from a macOS device:

  4. From the JAMF portal, navigate to Configuration Profiles and click the Upload button.

  5. Select Choose File and select microsoft.network-extension.signed.mobileconfig.

  6. Select Upload.

  7. After uploading the file, you are redirected to a new page to finalize the creation of this profile.

  8. Select the Scope tab.

  9. Select + Add.

  10. Select Computer Groups > under Group Name > select Contoso's Machine Group.

  11. Select + Add.

  12. Select Save.

  13. Select Done.

Windows 10 Advanced Threat Protection

Step 10: Schedule scans with Microsoft Defender ATP for Mac

Follow the instructions on Schedule scans with Microsoft Defender ATP for Mac.

Microsoft Defender Advanced Threat Protection (atp) For Mac Download

Step 11: Deploy Microsoft Defender ATP for macOS

Microsoft Advanced Threat Protection Download

  1. Navigate to where you saved wdav.pkg.

  2. Rename it to wdav_MDM_Contoso_200329.pkg.

  3. Open the Jamf Pro dashboard.

  4. Navigate to Advanced Computer Searches.

  5. Select Computer Management.

  6. In Packages, select + New.

  7. In New Package Enter the following details:

    General tab

    • Display Name: Leave it blank for now. Because it will be reset when you choose your pkg.
    • Category: None (default)
    • Filename: Choose File

    Open the file and point it to wdav.pkg or wdav_MDM_Contoso_200329.pkg.

  8. Select Open. Set the Display Name to Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus.

    • Manifest File: Select Upload Manifest File.

    Options tab
    Keep default values.

    Limitations tab
    Keep default values.

  9. Select Save. The package is uploaded to Jamf Pro.

    It can take a few minutes for the package to be available for deployment.

  10. Navigate to the Policies page.

  11. Select + New to create a new policy.

  12. In General Enter the following details:

    • Display name: MDATP Onboarding Contoso 200329 v100.86.92 or later
  13. Select Recurring Check-in.

  14. Select Save.

  15. Select Packages > Configure.

  16. Select the Add button next to Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus.

  17. Select Save.

  18. Select the Scope tab.

  19. Select the target computers.

    Scope

    Select Add.

    Self-Service

  20. Select Done.