Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
If you have deployed Microsoft Defender for Endpoint on macOS in a managed environment (through JAMF, Intune, or another MDM solution), you must deploy new configuration profiles. Failure to do these steps will result in users getting approval prompts to run these new components.
JAMF
JAMF System Extensions Policy
To approve the system extensions, create the following payload:
- In Computers > Configuration Profiles select Options > System Extensions. 
- Select Allowed System Extensions from the System Extension Types drop-down list. 
- Use UBF8T346G9 for Team Id. 
- Add the following bundle identifiers to the Allowed System Extensions list: - com.microsoft.wdav.epsext
- com.microsoft.wdav.netext
 
Privacy Preferences Policy Control
Add the following JAMF payload to grant Full Disk Access to the Microsoft Defender for Endpoint Endpoint Security Extension. This policy is a pre-requisite for running the extension on your device.
- Select Options > Privacy Preferences Policy Control. 
- Use - com.microsoft.wdav.epsextas the Identifier and- Bundle IDas Bundle type.
- Set Code Requirement to - identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
- Set App or service to SystemPolicyAllFiles and access to Allow. 
Network Extension Policy
As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on macOS inspects socket traffic and reports this information to the Microsoft Defender portal. The following policy allows the network extension to perform this functionality.
Note
JAMF doesn't have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender for Endpoint on macOS installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed. As such, the following steps provide a workaround that involve signing the configuration profile.
- Save the following content to your device as - com.microsoft.network-extension.mobileconfigusing a text editor:- <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1"> <dict> <key>PayloadUUID</key> <string>DA2CC794-488B-4AFF-89F7-6686A7E7B8AB</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadOrganization</key> <string>Microsoft Corporation</string> <key>PayloadIdentifier</key> <string>DA2CC794-488B-4AFF-89F7-6686A7E7B8AB</string> <key>PayloadDisplayName</key> <string>Microsoft Defender Network Extension</string> <key>PayloadDescription</key> <string/> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadEnabled</key> <true/> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadScope</key> <string>System</string> <key>PayloadContent</key> <array> <dict> <key>PayloadUUID</key> <string>2BA070D9-2233-4827-AFC1-1F44C8C8E527</string> <key>PayloadType</key> <string>com.apple.webcontent-filter</string> <key>PayloadOrganization</key> <string>Microsoft Corporation</string> <key>PayloadIdentifier</key> <string>CEBF7A71-D9A1-48BD-8CCF-BD9D18EC155A</string> <key>PayloadDisplayName</key> <string>Approved Network Extension</string> <key>PayloadDescription</key> <string/> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadEnabled</key> <true/> <key>FilterType</key> <string>Plugin</string> <key>UserDefinedName</key> <string>Microsoft Defender Network Extension</string> <key>PluginBundleID</key> <string>com.microsoft.wdav</string> <key>FilterSockets</key> <true/> <key>FilterDataProviderBundleIdentifier</key> <string>com.microsoft.wdav.netext</string> <key>FilterDataProviderDesignatedRequirement</key> <string>identifier "com.microsoft.wdav.netext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string> </dict> </array> </dict> </plist>
- Verify that the above file was copied correctly by running the - plutilutility in the Terminal:- $ plutil -lint <PathToFile>/com.microsoft.network-extension.mobileconfig- For example, if the file was stored in Documents: - $ plutil -lint ~/Documents/com.microsoft.network-extension.mobileconfig- Verify that the command outputs - OK.- <PathToFile>/com.microsoft.network-extension.mobileconfig: OK
- Follow the instructions on this page to create a signing certificate using JAMF's built-in certificate authority. 
- After the certificate is created and installed to your device, run the following command from the Terminal to sign the file: - $ security cms -S -N "<CertificateName>" -i <PathToFile>/com.microsoft.network-extension.mobileconfig -o <PathToSignedFile>/com.microsoft.network-extension.signed.mobileconfig- For example, if the certificate name is SigningCertificate and the signed file is going to be stored in Documents: - $ security cms -S -N "SigningCertificate" -i ~/Documents/com.microsoft.network-extension.mobileconfig -o ~/Documents/com.microsoft.network-extension.signed.mobileconfig
- From the JAMF portal, navigate to Configuration Profiles and click the Upload button. Select - com.microsoft.network-extension.signed.mobileconfigwhen prompted for the file.
Intune
Intune System Extensions Policy
To approve the system extensions:
- In Intune, open Manage > Device configuration. Select Manage > Profiles > Create Profile. 
- Choose a name for the profile. Change Platform=macOS to Profile type=Extensions. Select Create. 
- In the - Basicstab, give a name to this new profile.
- In the - Configuration settingstab, add the following entries in the- Allowed system extensionssection:
 
| Bundle identifier | Team identifier | 
|---|---|
| com.microsoft.wdav.epsext | UBF8T346G9 | 
| com.microsoft.wdav.netext | UBF8T346G9 | 
- In the Assignmentstab, assign this profile to All Users & All devices.
- Review and create this configuration profile.
Create and deploy the Custom Configuration Profile
The following configuration profile enables the network extension and grants Full Disk Access to the Endpoint Security system extension.
Save the following content to a file named sysext.xml:
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
    <dict>
        <key>PayloadUUID</key>
        <string>7E53AC50-B88D-4132-99B6-29F7974EAA3C</string>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadOrganization</key>
        <string>Microsoft Corporation</string>
        <key>PayloadIdentifier</key>
        <string>7E53AC50-B88D-4132-99B6-29F7974EAA3C</string>
        <key>PayloadDisplayName</key>
        <string>Microsoft Defender System Extensions</string>
        <key>PayloadDescription</key>
        <string/>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadEnabled</key>
        <true/>
        <key>PayloadRemovalDisallowed</key>
        <true/>
        <key>PayloadScope</key>
        <string>System</string>
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>PayloadUUID</key>
                <string>2BA070D9-2233-4827-AFC1-1F44C8C8E527</string>
                <key>PayloadType</key>
                <string>com.apple.webcontent-filter</string>
                <key>PayloadOrganization</key>
                <string>Microsoft Corporation</string>
                <key>PayloadIdentifier</key>
                <string>CEBF7A71-D9A1-48BD-8CCF-BD9D18EC155A</string>
                <key>PayloadDisplayName</key>
                <string>Approved Network Extension</string>
                <key>PayloadDescription</key>
                <string/>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>PayloadEnabled</key>
                <true/>
                <key>FilterType</key>
                <string>Plugin</string>
                <key>UserDefinedName</key>
                <string>Microsoft Defender Network Extension</string>
                <key>PluginBundleID</key>
                <string>com.microsoft.wdav</string>
                <key>FilterSockets</key>
                <true/>
                <key>FilterDataProviderBundleIdentifier</key>
                <string>com.microsoft.wdav.netext</string>
                <key>FilterDataProviderDesignatedRequirement</key>
                <string>identifier "com.microsoft.wdav.netext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
            </dict>
            <dict>
                <key>PayloadUUID</key>
                <string>56105E89-C7C8-4A95-AEE6-E11B8BEA0366</string>
                <key>PayloadType</key>
                <string>com.apple.TCC.configuration-profile-policy</string>
                <key>PayloadOrganization</key>
                <string>Microsoft Corporation</string>
                <key>PayloadIdentifier</key>
                <string>56105E89-C7C8-4A95-AEE6-E11B8BEA0366</string>
                <key>PayloadDisplayName</key>
                <string>Privacy Preferences Policy Control</string>
                <key>PayloadDescription</key>
                <string/>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>PayloadEnabled</key>
                <true/>
                <key>Services</key>
                <dict>
                    <key>SystemPolicyAllFiles</key>
                    <array>
                        <dict>
                            <key>Identifier</key>
                            <string>com.microsoft.wdav.epsext</string>
                            <key>CodeRequirement</key>
                            <string>identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
                            <key>IdentifierType</key>
                            <string>bundleID</string>
                            <key>StaticCode</key>
                            <integer>0</integer>
                            <key>Allowed</key>
                            <integer>1</integer>
                        </dict>
                    </array>
                </dict>
            </dict>
        </array>
    </dict>
</plist>
Verify that the above file was copied correctly. From the Terminal, run the following command and verify that it outputs OK:
$ plutil -lint sysext.xml
sysext.xml: OK
To deploy this custom configuration profile:
- In Intune, open Manage > Device configuration. Select Manage > Profiles > Create profile. 
- Choose a name for the profile. Change Platform=macOS and Profile type=Custom. Select Configure. 
- Open the configuration profile and upload sysext.xml. This file was created in the preceding step. 
- Select OK. 
- In the - Assignmentstab, assign this profile to All Users & All devices.
- Review and create this configuration profile. 
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
 
 
 
