Deploying Microsoft Defender to macOS devices

Introduction

Deploying Microsoft Defender to macOS devices using EPM JAMF is an easy thing to do, most of the work is completely automated thanks to JAMF.  There are just a few prerequisites that need to be done:

• Checking your JAMF site for the necessary configuration profiles, and policies.
• Performing the actual deployment using the EPM JAMF policies
• Monitoring your deployment progress

Checking your JAMF site for the necessary smart groups, configuration profiles, and policies.

Log into your EPM JAMF site and verify that the following smart groups, configuration profiles, and policies are in place.  If you find any of these items missing you will need to contact a member of the EPM Core team to resolve the problem as site admins generally do not have the correct permissions in EPM JAMF to resolve this on your own.

Smart Groups

Verify that your EPM JAMF site has all of the following smart group:

• SITE-Microsoft Defender-Cached

• SITE-Microsoft Defender-Installed

• SITE-macOS Mojave (10.14) and Older

The prefix of SITE in the list above will actually be the prefix for your CSU site in JAMF (eg. LAITS for instance).

Configuration Profiles

Verify that your EPM JAMF site has all of the following configuration profiles

• SITE-Microsoft Defender-MDATP MDAV-Scan Exclusions

• SITE-Microsoft Defender-MDATP MDAV-Tagging

The prefix of SITE in the lists above will actually be the prefix for your CSU site in JAMF (eg. LAITS for instance).

Policies

Verify that your EPM JAMF site has all of the following policy:

• SITE-Microsoft Defender-Deploy Installer

The prefix of SITE in the lists above will actually be the prefix for your CSU site in JAMF (eg. LAITS for instance).

Once you have verified that all of these configuration profiles, and policies are in place, you can move on to the actual deployment.

Performing the actual deployment using the EPM JAMF policies

Deploying Microsoft Defender to your macOS devices is actually a simple process, it only requires you to start the process by setting up one policy.

NOTE: Microsoft Defender can only be deployed to machines running macOS Catalina (10.15) or later

In your EPM JAMF site locate the following policy:

SITE-Microsoft Defender-Deploy Installer

The prefix of SITE in the lists above will actually be the prefix for your CSU site in JAMF (eg. LAITS for instance).

Select the policy and in the lower right corner select the Edit button, select the Scope tab, then select the  + ADD button. Add all of the machines you wish to target for this deployment, when done select the DONE button, then select the SAVE button at the bottom.

Monitoring your deployment progress

As machines check in with JAMF they will visit step 1 which will cache the Microsoft Defender package on the machine, step 2 (a global policy) will ensure the machine gets the necessary configuration profiles and does some Quality Assurance by waiting until all of them are present on the machine before moving on, step 3 (a global policy) will actually perform the installation and complete the process.

If you want to monitor the Microsoft Defender deployment process, you can simply add the deployment policy to your JAMF dashboard and it will show you a graph of their progress.

In your EPM JAMF site locate the following policy:

• SITE-Microsoft Defender-Deploy Installer

Select the policy and in the upper right hand corner put a checkmark in the box next to Show in JAMF Pro Dashboard. Once done, go to your JAMF Dashboard by clicking on the JAMF PRO logo in the upper left corner.

In your EPM JAMF site locate the following smart group:

• SITE-Microsoft Defender-Installed

Select the smart group and in the upper right hand corner put a checkmark in the box next to Show in JAMF Pro Dashboard. Once done, go to your JAMF Dashboard by clicking on the JAMF PRO logo in the upper left corner.

As step 3 completes and Microsoft Defender is installed properly, this smart group count will increment.  When Microsoft Defender is fully deployed the number of machines shown as Completed from the deployment policy should match the number of machines in the Microsoft Defender-Installed smart group.

Edit Scan Exclusions

You can add and remove exclusions to the scanner by adding or removing path sets.  To exclude and entire directory take the below code, add the path you want to exclude and then insert it to the bottom of the list above </array> in the SITE-Microsoft Defender-MDATP MDAV-Scan Exclusions policy and redeploy it to all devices.  Wildcards are permitted.

        <dict>
          <key>$type</key>
          <string>excludedPath</string>
          <key>isDirectory</key>
          <true/>
          <key>path</key>
          <string>/Directory Path</string>
        </dict>

You can also exclude extensions and specific files by using the strings below.

        <dict>
          <key>$type</key>
          <string>excludedFileExtension</string>
          <key>extension</key>
          <string>pdf</string>
        </dict>

        <dict>
          <key>$type</key>
          <string>excludedFileName</string>
          <key>name</key>
          <string>/path/File Name</string>
        </dict>