SCCM Rookie

Home » Azure, Intune, » How to Deploy Defender for Endpoint on macOS Using Intune

How to Deploy Defender for Endpoint on macOS Using Intune

Managing Apple devices in a Windows-centric enterprise environment has become a top priority. In this guide, we will walk through how to configure and deploy Microsoft Defender for Endpoint (MDE) on macOS using Microsoft Intune, ensuring full protection and seamless integration into your security portal.

Prerequisites: Ensure your macOS devices are already enrolled in Intune and the "Microsoft Defender for Endpoint" connector is enabled under Endpoint Security.

1. System Extensions Configuration

macOS requires explicit approval for the extensions that Defender uses to monitor the system. Without this, the app won't have the necessary permissions to scan the device.

  • Create a new Configuration Profile (Settings Catalog).
  • Search for System Extensions and add the following identifiers (Team ID: UBF8T346G9):
    • com.microsoft.wdav.epsext
    • com.microsoft.wdav.netext

2. Configuration via .mobileconfig Files

Many Defender settings on Mac must be uploaded via custom configuration files. These templates handle critical security permissions that cannot be toggled manually by users:

  • Network Filter: Allows Defender to monitor and filter network traffic.
  • Full Disk Access: Mandatory for Defender to scan system files and detect threats.
  • Background Services: Ensures Defender processes run correctly at startup.

Tip: Always download the latest .mobileconfig templates from the official Microsoft GitHub repository and upload them as "Custom" profiles in Intune.

3. Microsoft AutoUpdate (MAU)

To keep Defender updated without user intervention, we need to configure the Microsoft AutoUpdate service.

By creating a custom profile and uploading the MAU XML configuration, you can define the update "channel." For most enterprise environments, setting this to Production is the standard, though you can use Preview for testing groups.

4. EDR Policy (Endpoint Detection and Response)

This is a step often missed by administrators. Even if the app is installed, the device needs an EDR policy to correctly "check-in" with the Microsoft Defender portal.

  1. Go to Endpoint Security > Endpoint Detection and Response.
  2. Create a policy for macOS and assign it to your target device groups.

5. App Deployment and Onboarding

The final step is installing the software and "linking" it to your specific tenant:

  • App Deployment: In Intune, go to Apps > macOS and add the built-in "Microsoft Defender for Endpoint" app.
  • Onboarding Package: Download the onboarding