Microsoft Defender for Endpoint Upgrade Readiness MacOS Big Sur

Hi IT Pros,

Today we discuss about preparing our MD for Endpoint on Organization's MacOS Systems and make them ready for “Big Sur”, the greatest and latest version of Mac operating system which is released by Apple on the 12th of November, 2020.  Big Sur enhance MDM (Mobile Device Management) protocol as key for automated device enrollment, content caching and managing apps. Big Sur's code running process has been moved from kernel extensions (KEXTs) to system extensions for security reason.

Microsoft Endpoint Manager now supports the following new device configurations on MacOS Big Sur :

  • Non-OS software updates deferral
  • “Enable direct download” setting for associated domains · 4096-bit SCEP keys
  • Prevent users from disabling automatic
  • Excluded Domains for per-app connections

For Microsoft Defender for Endpoint (WD ), Microsoft released an update to Microsoft Defender for Endpoint MacOS that will leverage new system extensions instead of kernel extensions with the following details:

  • An update to the Microsoft Defender for Mac agent is required on all eligible macOS devices prior to moving these devices to macOS 11.
  • The update is applicable to devices running macOS version 10.15.4 or later.
  • To ensure that the Microsoft Defender for Mac update is delivered and applied seamlessly from an end-user experience perspective, a new remote configuration must be deployed to all eligible macOS devices before Microsoft publishes the new agent version.
  • If the configuration is not deployed prior to the Microsoft Defender ATP for Mac agent update, end-users will be presented with a series of system dialogs asking to grant the agent all necessary permissions associated with the new system extensions.

Even though Microsoft Defender ATP for Mac new implementation based on system extensions is only applicable to devices running macOS version 10.15.4 or later, deploying configuration proactively across the entire macOS fleet will have two benefits:

  • ensure that even down-level devices are ready for macOS 11 Big Sur upgrade
  •  ensure that Microsoft Defender ATP for Mac continues protecting all macOS devices regardless OS version they were running prior to the Big Sur upgrade.

New configuration profiles for macOS Catalina and newer versions of macOS

You could deploy the Configuration Profile Policies by JAMF or Microsoft Endpoint Manager as your deployment tool. There are Configuration Profiles and  Preference Control Policy that need to be deployed:

  • System Extension configuration profile
  • Privacy Preferences Policy Control, granting Full Disk Access to the Microsoft Defender ATP Endpoint Security Extension
  • Extension configuration profile
  • Option 1: JAMF Deployment

 

  • System Extension configuration profile

 

  • In Computers > Configuration Profiles select Options > System Extensions.

Select Allowed System Extensions from the System Extension Types drop-down list.

Use UBF8T346G9 for Team Id.

Add the following bundle identifiers to the Allowed System Extensions list:

com.microsoft.wdav.epsext

com.microsoft.wdav.netext

             

m1.png

  • Privacy Preferences Policy Control

Add the following JAMF payload to grant Full Disk Access to the Microsoft Defender ATP Endpoint Security Extension. This policy is a pre-requisite for running the extension on your device.

  • Select Options > Privacy Preferences Policy Control.

Use com.microsoft.wdav.epsext as the Identifier and Bundle ID as Bundle type.

Set Code Requirement to identifier “com.microsoft.wdav.epsext” and anchor apple generic and 1[field.1.2.840.113635.100.6.2.6] /* exists */ and leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9

Set App or service to SystemPolicyAllFiles and access to Allow. 

m2.png

As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.

 Note

JAMF doesn't have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed. As such, the following steps provide a workaround that involve signing the configuration profile.

Save the following content to your device as com.microsoft.network-extension.mobileconfig using a text editor:XML

http://www.apple.com/DTDs/PropertyList-1.0.dtd“>

   

        PayloadUUID

        DA2CC794-488B-4AFF-89F7-6686A7E7B8AB

        PayloadType

        Configuration

        PayloadOrganization

        Microsoft Corporation

        PayloadIdentifier

        DA2CC794-488B-4AFF-89F7-6686A7E7B8AB

        PayloadDisplayName

        Microsoft Defender ATP Network Extension

        PayloadDescription

       

        PayloadVersion

        1

        PayloadEnabled

       

        PayloadRemovalDisallowed

       

        PayloadScope

        System

        PayloadContent

       

            

                PayloadUUID

                2BA070D9-2233-4827-AFC1-1F44C8C8E527

                PayloadType

                com.apple.webcontent-filter

                PayloadOrganization

                Microsoft Corporation

                PayloadIdentifier

                CEBF7A71-D9A1-48BD-8CCF-BD9D18EC155A

                PayloadDisplayName

                Approved Network Extension

                PayloadDescription

               

                PayloadVersion

                1

                PayloadEnabled

                

                FilterType

                Plugin

                UserDefinedName

                Microsoft Defender ATP Network Extension

                PluginBundleID

                com.microsoft.wdav

                FilterSockets

               

                FilterDataProviderBundleIdentifier

                com.microsoft.wdav.netext

                FilterDataProviderDesignatedRequirement

                identifier “com.microsoft.wdav.netext” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9

           

       

   

Verify that the above file was copied correctly by running the plutil utility in the Terminal:

m3.png

From the JAMF portal, navigate to Configuration Profiles and click the Upload button. Select com.microsoft.network-extension.signed.mobileconfig when prompted for the file.

Option 2: Endpoint Manager Deployment

  • System Extensions Policy

To approve the system extensions:

  • In Intune, open Manage > Device configuration. Select Manage > Profiles > Create Profile.

Choose a name for the profile. Change Platform=macOS to Profile type=Extensions. Select Create.

m5.png

In the Basics tab, give a name to this new profile.

  • In the Configuration settings tab, add the following entries in the Allowed system extensions section:

Bundle identifier

Team identifier

com.microsoft.wdav.epsext

UBF8T346G9

com.microsoft.wdav.netext

UBF8T346G9

TanTran_4-1608838133677.png

  

  • In the Assignments tab, assign this profile to All Users & All devices.

                             Review and create this configuration profile.

  • Create and deploy the Endpoint Manager Custom Configuration Profile for MacOS Network Extension, Full Disk Access Policies

The following configuration profile enables the network extension and grants Full Disk Access to the Endpoint Security system extension.

Save the following content to a file named sysext.xml:

http://www.apple.com/DTDs/PropertyList-1.0.dtd“>

   

        PayloadUUID

        7E53AC50-B88D-4132-99B6-29F7974EAA3C

        PayloadType

        Configuration

        PayloadOrganization

        Microsoft Corporation

        PayloadIdentifier

        7E53AC50-B88D-4132-99B6-29F7974EAA3C

        PayloadDisplayName

        Microsoft Defender ATP System Extensions

        PayloadDescription

       

        PayloadVersion

        1

        PayloadEnabled

       

        PayloadRemovalDisallowed

       

        PayloadScope

        System

        PayloadContent

       

           

                PayloadUUID

                2BA070D9-2233-4827-AFC1-1F44C8C8E527

                PayloadType

                com.apple.webcontent-filter

                PayloadOrganization

                Microsoft Corporation

                PayloadIdentifier

                CEBF7A71-D9A1-48BD-8CCF-BD9D18EC155A

                PayloadDisplayName

                Approved Network Extension

                PayloadDescription

               

                PayloadVersion

                1

                PayloadEnabled

               

                FilterType

                Plugin

                UserDefinedName

                Microsoft Defender ATP Network Extension

                PluginBundleID

                com.microsoft.wdav

                FilterSockets

               

                FilterDataProviderBundleIdentifier

                com.microsoft.wdav.netext

                FilterDataProviderDesignatedRequirement

                identifier "com.microsoft.wdav.netext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9

           

           

                PayloadUUID

                56105E89-C7C8-4A95-AEE6-E11B8BEA0366

                PayloadType

                com.apple.TCC.configuration-profile-policy

                PayloadOrganization

                Microsoft Corporation

                PayloadIdentifier

                56105E89-C7C8-4A95-AEE6-E11B8BEA0366

                PayloadDisplayName

                Privacy Preferences Policy Control

                PayloadDescription

               

                PayloadVersion

                1

                PayloadEnabled

               

                Services

               

                    SystemPolicyAllFiles

                   

                       

                            Identifier

                            com.microsoft.wdav.epsext

                            CodeRequirement

                            identifier “com.microsoft.wdav.epsext” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9

                            IdentifierType

                            bundleID

                            StaticCode

                            0

                            Allowed

                            1

                        

                   

               

           

       

   

Verify that the above file was copied correctly. From the Terminal, run the following command and verify that it outputs OK:

Bash

$ plutil -lint sysext.xml

sysext.xml: OK

  • To deploy this custom configuration profile:                                                                                 >  In Intune, open Manage > Device configuration. Select Manage > Profiles > Create profile.

              Choose a name for the profile. Change Platform=macOS and Profile type=Custom.                             >  Select Configure.                                                                                                                                         Open the configuration profile and upload sysext.xml. This file was created in the preceding                   step.

               Select OK.

m8.png

  • In the Assignments tab, assign this profile to All Users & All devices.
  • Review and create this configuration profile.

After this point, your environment is ready for MacOS devices to be upgraded to Big Sur, the MacOS newest version. MD for Endpoint on MacOS Devices will continue functioning normally after a successful OS upgrade.

TanTran_7-1608838753932.png

Reference

 

This article was originally published by Microsoft's SQL Server Blog. You can find the original article here.