COMMITTEE ACTION: REPORTED BY A RECORD VOTE OF 8-3 on Friday, July 17, 2020. FLOOR ACTION ON H. 1053: Agreed to by record vote of 224-166, after agreeing to the previous question by record vote of 220-162, on Monday, July 20, 2020. MANAGERS: Perlmutter/Woodall 1. Structured rule for H.R. Provides one hour of debate equally divided and controlled by the chair and ranking minority. Mack Defense provides Mack, Volvo and Volvo Construction Equipment products through GSA Auto-choice, 23V and DLA HEPP programs. Contact us for more information. National Healthcare Fraud Defense Team for MAC Audits. Led by experienced healthcare fraud attorneys and former prosecutors with the U.S. Department of Justice (DOJ) and U.S. Attorney’s Office, Oberheiden, P.C. Is a team of experienced defense lawyers who represent healthcare providers in MAC audits. Our firm has represented physicians, pharmacists, dentists, DME companies, hospitals.
-->
Important
Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.
This topic describes how to install, configure, update, and use Microsoft Defender ATP for Mac.
Caution
Running other third-party endpoint protection products alongside Microsoft Defender ATP for Mac is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of MDATP for Mac EDR functionality after configuring MDATP for Mac antivirus functionality to run in Passive mode.
What’s new in the latest release
Tip
If you have any feedback that you would like to share, submit it by opening Microsoft Defender ATP for Mac on your device and navigating to Help > Send feedback.
To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac devices), configure your macOS device running Microsoft Defender ATP to be an 'Insider' device. See Enable Microsoft Defender ATP Insider Device.
How to install Microsoft Defender ATP for Mac
Prerequisites
A Microsoft Defender ATP subscription and access to the Microsoft Defender Security Center portal
Beginner-level experience in macOS and BASH scripting
Administrative privileges on the device (in case of manual deployment)
Installation instructions
There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac.
Third-party management tools:
Command-line tool:
System requirements
The three most recent major releases of macOS are supported.
Beta versions of macOS are not supported. macOS Sierra (10.12) support ended on January 1, 2020.
After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
Licensing requirements
Microsoft Defender Advanced Threat Protection for Mac requires one of the following Microsoft Volume Licensing offers:
Microsoft 365 E5 (M365 E5)
Microsoft 365 E5 Security
Microsoft 365 A5 (M365 A5)
Toy Defense For Mac
Note
Eligible licensed users may use Microsoft Defender Advanced Threat Protection on up to five concurrent devices.Microsoft Defender Advanced Threat Protection is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it does not require Microsoft Volume Licensing offers listed.
Network connections
The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an allow rule specifically for them.
Item
Description
Spreadsheet
The spreadsheet provides specific DNS records for service locations, geographic locations, and OS.
Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
Tower Defense For Mac
Proxy autoconfig (PAC)
Web Proxy Autodiscovery Protocol (WPAD)
Manual static proxy configuration
If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs.
Warning
Authenticated proxies are not supported. Ensure that only PAC, WPAD, or a static proxy is being used.
SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Mac to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
To test that a connection is not blocked, open https://x.cp.wd.microsoft.com/api/report and https://cdn.x.cp.wd.microsoft.com/ping in a browser.
If you prefer the command line, you can also check the connection by running the following command in Terminal:
Cb Defense For Mac
The output from this command should be similar to the following:
OK https://x.cp.wd.microsoft.com/api/report
OK https://cdn.x.cp.wd.microsoft.com/ping
Caution
We recommend that you keep System Integrity Protection (SIP) enabled on client devices. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default.
Once Microsoft Defender ATP is installed, connectivity can be validated by running the following command in Terminal:
How to update Microsoft Defender ATP for Mac
Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used. To learn more, see Deploy updates for Microsoft Defender ATP for Mac
How to configure Microsoft Defender ATP for Mac
Guidance for how to configure the product in enterprise environments is available in Set preferences for Microsoft Defender ATP for Mac.
macOS kernel and system extensions
In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions. Visit What's new in Microsoft Defender Advanced Threat Protection for Mac for relevant details.
Resources
For more information about logging, uninstalling, or other topics, see the Resources page.
Whenever you upgrade your operating system (OS), you will need to CAC-enable (i.e. Public Key Enable) the system all over again. You should refer to the instructions and downloads available from the web pages under Getting Started for End Users (Mac) on DISA's Information Assurance Support Environment (IASE) website. You will need middleware to use your CAC on OS X. The instructions on IASE will direct you to Smartcard Services (middleware) downloads from Mac OS forge. Smartcard Services will work for most CACs and readers, however, if you do not see your CAC keychain in the Keychain Access.app after installing the Smartcard Services package and inserting your CAC in the card reader, then I recommend using another free middleware called Centrify Express.
Aside from installing middleware, you need to download and import the DoD Root and Intermediate Certificates in your Keychain Access. Most of the DoD certificates are available if you add the 'SystemCACertificates' keychain using the File > Add Keychain option and navigating through the folders to Macintosh HD > System > Library > Keychains. You need to download and import a few certificates into the 'login' keychain, such as DOD ROOT CA 2 (3 certificates total), DOD ROOT CA 3, and any intermediate certificates that issued the certificates on your CAC, which are greater than DOD CA-30 (such as DOD CA-31, DOD EMAIL CA-31, DOD CA-32, DOD EMAIL CA-32, DOD ID CA-33, DOD EMAIL CA-33, DOD ID CA-34, DOD EMAIL CA-34, etc.). Go to the Cross-Certificate Chaining Issue page to download two zip files (i.e.Certificates_PKCS7_v4.1u4_DoD.zip and unclass-irca1_dodroot_ca2.zip, then use the File > Import Certificate option to add the certificates to the 'login' keychain. All DoD Intermediate Certificates are available for download (one-by-one) from the DoD PKI Management website at https://crl.gds.disa.mil/ (download the Certificate Authority Certificate, not the Certificate Revocation List, i.e. CRL) for each certificate.