Skip to content

mac-sysext-policies.md

Latest commit

 

History

History
310 lines (259 loc) · 14.1 KB

mac-sysext-policies.md

File metadata and controls

310 lines (259 loc) · 14.1 KB

title: New configuration profiles for macOS Big Sur and newer versions of macOS description: This topic describes the changes that are must be made in order to benefit from the system extensions, which are a replacement for kernel extensions on macOS Big Sur and newer versions of macOS. search.appverid: met150 ms.service: defender-endpoint author: paulinbar ms.author: painbar ms.reviewer: joshbregman manager: bagol ms.localizationpriority: medium audience: ITPro ms.collection:

  • m365-security
  • tier3
  • mde-macos ms.topic: install-set-up-deploy ROBOTS: noindex,nofollow ms.subservice: macos ms.date: 05/08/2025 appliesto:
    • Microsoft Defender for Endpoint Plan 1
    • Microsoft Defender for Endpoint Plan 2

New configuration profiles for macOS Big Sur and newer versions of macOS

If you have deployed Microsoft Defender for Endpoint on macOS in a managed environment (through JAMF, Intune, or another MDM solution), you must deploy new configuration profiles. Failure to do these steps will result in users getting approval prompts to run these new components.

JAMF

JAMF System Extensions Policy

To approve the system extensions, create the following payload:

  1. In Computers > Configuration Profiles select Options > System Extensions.

  2. Select Allowed System Extensions from the System Extension Types drop-down list.

  3. Use UBF8T346G9 for Team Id.

  4. Add the following bundle identifiers to the Allowed System Extensions list:

    • com.microsoft.wdav.epsext
    • com.microsoft.wdav.netext

    :::image type="content" source="media/mac-approved-system-extensions.png" alt-text=" The Approved system extensions page" lightbox="media/mac-approved-system-extensions.png":::

Privacy Preferences Policy Control

Add the following JAMF payload to grant Full Disk Access to the Microsoft Defender for Endpoint Endpoint Security Extension. This policy is a pre-requisite for running the extension on your device.

  1. Select Options > Privacy Preferences Policy Control.

  2. Use com.microsoft.wdav.epsext as the Identifier and Bundle ID as Bundle type.

  3. Set Code Requirement to identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9

  4. Set App or service to SystemPolicyAllFiles and access to Allow.

    :::image type="content" source="media/mac-system-extension-privacy.png" alt-text=" The Privacy Preferences Policy Control menu item" lightbox="media/mac-system-extension-privacy.png":::

Network Extension Policy

As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on macOS inspects socket traffic and reports this information to the Microsoft Defender portal. The following policy allows the network extension to perform this functionality.

Note

JAMF doesn't have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender for Endpoint on macOS installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed. As such, the following steps provide a workaround that involve signing the configuration profile.

  1. Save the following content to your device as com.microsoft.network-extension.mobileconfig using a text editor:

    <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
    <dict>
        <key>PayloadUUID</key>
        <string>DA2CC794-488B-4AFF-89F7-6686A7E7B8AB</string>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadOrganization</key>
        <string>Microsoft Corporation</string>
        <key>PayloadIdentifier</key>
        <string>DA2CC794-488B-4AFF-89F7-6686A7E7B8AB</string>
        <key>PayloadDisplayName</key>
        <string>Microsoft Defender Network Extension</string>
        <key>PayloadDescription</key>
        <string/>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadEnabled</key>
        <true/>
        <key>PayloadRemovalDisallowed</key>
        <true/>
        <key>PayloadScope</key>
        <string>System</string>
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>PayloadUUID</key>
                <string>2BA070D9-2233-4827-AFC1-1F44C8C8E527</string>
                <key>PayloadType</key>
                <string>com.apple.webcontent-filter</string>
                <key>PayloadOrganization</key>
                <string>Microsoft Corporation</string>
                <key>PayloadIdentifier</key>
                <string>CEBF7A71-D9A1-48BD-8CCF-BD9D18EC155A</string>
                <key>PayloadDisplayName</key>
                <string>Approved Network Extension</string>
                <key>PayloadDescription</key>
                <string/>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>PayloadEnabled</key>
                <true/>
                <key>FilterType</key>
                <string>Plugin</string>
                <key>UserDefinedName</key>
                <string>Microsoft Defender Network Extension</string>
                <key>PluginBundleID</key>
                <string>com.microsoft.wdav</string>
                <key>FilterSockets</key>
                <true/>
                <key>FilterDataProviderBundleIdentifier</key>
                <string>com.microsoft.wdav.netext</string>
                <key>FilterDataProviderDesignatedRequirement</key>
                <string>identifier "com.microsoft.wdav.netext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
            </dict>
        </array>
    </dict>
</plist>

  2. Verify that the above file was copied correctly by running the plutil utility in the Terminal:

    $ plutil -lint <PathToFile>/com.microsoft.network-extension.mobileconfig

    For example, if the file was stored in Documents:

    $ plutil -lint ~/Documents/com.microsoft.network-extension.mobileconfig

    Verify that the command outputs OK.

    <PathToFile>/com.microsoft.network-extension.mobileconfig: OK

  3. Follow the instructions on this page to create a signing certificate using JAMF's built-in certificate authority.

  4. After the certificate is created and installed to your device, run the following command from the Terminal to sign the file:

    $ security cms -S -N "<CertificateName>" -i <PathToFile>/com.microsoft.network-extension.mobileconfig -o <PathToSignedFile>/com.microsoft.network-extension.signed.mobileconfig

    For example, if the certificate name is SigningCertificate and the signed file is going to be stored in Documents:

    $ security cms -S -N "SigningCertificate" -i ~/Documents/com.microsoft.network-extension.mobileconfig -o ~/Documents/com.microsoft.network-extension.signed.mobileconfig

  5. From the JAMF portal, navigate to Configuration Profiles and click the Upload button. Select com.microsoft.network-extension.signed.mobileconfig when prompted for the file.

Intune

Intune System Extensions Policy

To approve the system extensions:

  1. In Intune, open Manage > Device configuration. Select Manage > Profiles > Create Profile.

  2. Choose a name for the profile. Change Platform=macOS to Profile type=Extensions. Select Create.

  3. In the Basics tab, give a name to this new profile.

  4. In the Configuration settings tab, add the following entries in the Allowed system extensions section:


    Bundle identifier Team identifier
    com.microsoft.wdav.epsext UBF8T346G9
    com.microsoft.wdav.netext UBF8T346G9

    :::image type="content" source="media/mac-system-extension-intune2.png" alt-text=" The System configuration profiles page" lightbox="media/mac-system-extension-intune2.png":::

  5. In the Assignments tab, assign this profile to All Users & All devices.

  6. Review and create this configuration profile.

Create and deploy the Custom Configuration Profile

The following configuration profile enables the network extension and grants Full Disk Access to the Endpoint Security system extension.

Save the following content to a file named sysext.xml:

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
    <dict>
        <key>PayloadUUID</key>
        <string>7E53AC50-B88D-4132-99B6-29F7974EAA3C</string>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadOrganization</key>
        <string>Microsoft Corporation</string>
        <key>PayloadIdentifier</key>
        <string>7E53AC50-B88D-4132-99B6-29F7974EAA3C</string>
        <key>PayloadDisplayName</key>
        <string>Microsoft Defender System Extensions</string>
        <key>PayloadDescription</key>
        <string/>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadEnabled</key>
        <true/>
        <key>PayloadRemovalDisallowed</key>
        <true/>
        <key>PayloadScope</key>
        <string>System</string>
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>PayloadUUID</key>
                <string>2BA070D9-2233-4827-AFC1-1F44C8C8E527</string>
                <key>PayloadType</key>
                <string>com.apple.webcontent-filter</string>
                <key>PayloadOrganization</key>
                <string>Microsoft Corporation</string>
                <key>PayloadIdentifier</key>
                <string>CEBF7A71-D9A1-48BD-8CCF-BD9D18EC155A</string>
                <key>PayloadDisplayName</key>
                <string>Approved Network Extension</string>
                <key>PayloadDescription</key>
                <string/>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>PayloadEnabled</key>
                <true/>
                <key>FilterType</key>
                <string>Plugin</string>
                <key>UserDefinedName</key>
                <string>Microsoft Defender Network Extension</string>
                <key>PluginBundleID</key>
                <string>com.microsoft.wdav</string>
                <key>FilterSockets</key>
                <true/>
                <key>FilterDataProviderBundleIdentifier</key>
                <string>com.microsoft.wdav.netext</string>
                <key>FilterDataProviderDesignatedRequirement</key>
                <string>identifier &quot;com.microsoft.wdav.netext&quot; and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
            </dict>
            <dict>
                <key>PayloadUUID</key>
                <string>56105E89-C7C8-4A95-AEE6-E11B8BEA0366</string>
                <key>PayloadType</key>
                <string>com.apple.TCC.configuration-profile-policy</string>
                <key>PayloadOrganization</key>
                <string>Microsoft Corporation</string>
                <key>PayloadIdentifier</key>
                <string>56105E89-C7C8-4A95-AEE6-E11B8BEA0366</string>
                <key>PayloadDisplayName</key>
                <string>Privacy Preferences Policy Control</string>
                <key>PayloadDescription</key>
                <string/>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>PayloadEnabled</key>
                <true/>
                <key>Services</key>
                <dict>
                    <key>SystemPolicyAllFiles</key>
                    <array>
                        <dict>
                            <key>Identifier</key>
                            <string>com.microsoft.wdav.epsext</string>
                            <key>CodeRequirement</key>
                            <string>identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
                            <key>IdentifierType</key>
                            <string>bundleID</string>
                            <key>StaticCode</key>
                            <integer>0</integer>
                            <key>Allowed</key>
                            <integer>1</integer>
                        </dict>
                    </array>
                </dict>
            </dict>
        </array>
    </dict>
</plist>

Verify that the above file was copied correctly. From the Terminal, run the following command and verify that it outputs OK:

$ plutil -lint sysext.xml
sysext.xml: OK

To deploy this custom configuration profile:

  1. In Intune, open Manage > Device configuration. Select Manage > Profiles > Create profile.

  2. Choose a name for the profile. Change Platform=macOS and Profile type=Custom. Select Configure.

  3. Open the configuration profile and upload sysext.xml. This file was created in the preceding step.

  4. Select OK.

    :::image type="content" source="media/mac-system-extension-intune.png" alt-text=" The System extension in Intune page" lightbox="media/mac-system-extension-intune.png":::

  5. In the Assignments tab, assign this profile to All Users & All devices.

  6. Review and create this configuration profile.