You can download the latest version of Self Service for manual installation using a policy on computers with 10.12 or later. Log in to Jamf Pro. In the top-right corner of the page, click Settings. In order for this script to work, you will have to have a copy of the macOS Installer that is available from the Mac App Store located in /Applications. One of the easiest ways to achieve this is to package the installer (in PKG format) with Composer as seen below and deploy the package via Jamf Pro. Download the “Install macOS Mojave” app from the Mac App Store. Leverage Jamf Pro tools to package and deploy the new operating system in Jamf Self Service where users can start the upgrade on their own. Caching the install file on users’ Macs will reduce your network load. Step 1 - Launch the Self Service app. You can find the Self Service app in your Applications folder, or just search for it using Spotlight. Self Service in the Applications Folder. Self Service in Spotlight. Step 2 - Locate the desired software package within Self Service. You can either browse to the program or search for it using the built-in search bar. Once you have located it, click on the Install button within its entry and wait for Self Service to indicate that the install has finished.
-->Important
Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.
Applies to:
This page will guide you through the steps you need to take to set up macOS policies in Jamf Pro.
You'll need to take the following steps:
Step 1: Get the Microsoft Defender ATP onboarding package
- In Microsoft Defender Security Center, navigate to Settings > Onboarding.
- Select macOS as the operating system and Mobile Device Management / Microsoft Intune as the deployment method.
- Select Download onboarding package (WindowsDefenderATPOnboardingPackage.zip).
- Extract
WindowsDefenderATPOnboardingPackage.zip
. - Copy the file to your preferred location. For example,
C:UsersJaneDoe_or_JohnDoe.contosoDownloadsWindowsDefenderATPOnboardingPackage_macOS_MDM_contosojamfWindowsDefenderATPOnboarding.plist
.
Step 2: Create a configuration profile in Jamf Pro using the onboarding package
- Locate the file
WindowsDefenderATPOnboarding.plist
from the previous section. - In the Jamf Pro dashboard, select New.
- Enter the following details:General
- Name: MDATP onboarding for macOS
- Description: MDATP EDR onboarding for macOS
- Category: None
- Distribution Method: Install Automatically
- Level: Computer Level
- In Application & Custom Settings select Configure.
- Select Upload File (PLIST file) then in Preference Domain enter:
com.microsoft.wdav.atp
. - Select Open and select the onboarding file.
- Select Upload.
- Select the Scope tab.
- Select the target computers.
- Select Save.
- Select Done.
Step 3: Configure Microsoft Defender ATP settings
Jamf Self Service Download
- Use the following Microsoft Defender ATP configuration settings:
- enableRealTimeProtection
- passiveMode
NoteNot turned on by default, if you are planning to run a third-party AV for macOS, set it totrue
.- exclusions
- excludedPath
- excludedFileExtension
- excludedFileName
- exclusionsMergePolicy
- allowedThreats
NoteEICAR is on the sample, if you are going through a proof-of-concept, remove it especially if you are testing EICAR.- disallowedThreatActions
- potentially_unwanted_application
- archive_bomb
- cloudService
- automaticSampleSubmission
- tags
- hideStatusMenuIcon
For information, see Property list for Jamf configuration profile. - Save the file as
MDATP_MDAV_configuration_settings.plist
. - In the Jamf Pro dashboard, select General.
- Enter the following details:General
- Name: MDATP MDAV configuration settings
- Description:<blank>
- Category: None (default)
- Distribution Method: Install Automatically(default)
- Level: Computer Level(default)
- In Application & Custom Settings select Configure.
- Select Upload File (PLIST file).
- In Preferences Domain, enter
com.microsoft.wdav
, then select Upload PLIST File. - Select Choose File.
- Select the MDATP_MDAV_configuration_settings.plist, then select Open.
- Select Upload.NoteIf you happen to upload the Intune file, you'll get the following error:
- Select Save.
- The file is uploaded.
- Select the Scope tab.
- Select Contoso's Machine Group.
- Select Add, then select Save.
- Select Done. You'll see the new Configuration profile.
Step 4: Configure notifications settings
These steps are applicable of macOS 10.15 (Catalina) or newer.
- Download
notif.mobileconfig
from our GitHub repository - Save it as
MDATP_MDAV_notification_settings.plist
. - In the Jamf Pro dashboard, select General.
- Enter the following details:General
- Name: MDATP MDAV Notification settings
- Description: macOS 10.15 (Catalina) or newer
- Category: None (default)
- Distribution Method: Install Automatically(default)
- Level: Computer Level(default)
- Select Upload File (PLIST file).
- Select Choose File > MDATP_MDAV_Notification_Settings.plist.
- Select Open > Upload.
- Select the Scope tab, then select Add.
- Select Contoso's Machine Group.
- Select Add, then select Save.
- Select Done. You'll see the new Configuration profile.
Step 5: Configure Microsoft AutoUpdate (MAU)
- Use the following Microsoft Defender ATP configuration settings:
- Save it as
MDATP_MDAV_MAU_settings.plist
. - In the Jamf Pro dashboard, select General.
- Enter the following details:General
- Name: MDATP MDAV MAU settings
- Description: Microsoft AutoUpdate settings for MDATP for macOS
- Category: None (default)
- Distribution Method: Install Automatically(default)
- Level: Computer Level(default)
- In Application & Custom Settings select Configure.
- Select Upload File (PLIST file).
- In Preference Domain enter:
com.microsoft.autoupdate2
, then select Upload PLIST File. - Select Choose File.
- Select MDATP_MDAV_MAU_settings.plist.
- Select Upload.
- Select Save.
- Select the Scope tab.
- Select Add.
- Select Done.
Step 6: Grant full disk access to Microsoft Defender ATP
- In the Jamf Pro dashboard, select Configuration Profiles.
- Select + New.
- Enter the following details:General
- Name: MDATP MDAV - grant Full Disk Access to EDR and AV
- Description: On macOS Catalina or newer, the new Privacy Preferences Policy Control
- Category: None
- Distribution method: Install Automatically
- Level: Computer level
- In Configure Privacy Preferences Policy Control select Configure.
- In Privacy Preferences Policy Control, enter the following details:
- Identifier:
com.microsoft.wdav
- Identifier Type: Bundle ID
- Code Requirement: identifier 'com.microsoft.wdav' and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
- Identifier:
- Select + Add.
- Under App or service: Set to SystemPolicyAllFiles
- Under 'access': Set to Allow
- Select Save (not the one at the bottom right).
- Click the
+
sign next to App Access to add a new entry. - Enter the following details:
- Identifier:
com.microsoft.wdav.epsext
- Identifier Type: Bundle ID
- Code Requirement: identifier 'com.microsoft.wdav.epsext' and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = UBF8T346G9
- Identifier:
- Select + Add.
- Under App or service: Set to SystemPolicyAllFiles
- Under 'access': Set to Allow
- Select Save (not the one at the bottom right).
- Select the Scope tab.
- Select + Add.
- Select Computer Groups > under Group Name > select Contoso's MachineGroup.
- Select Add.
- Select Save.
- Select Done.
Jamf Connect Download
Step 7: Approve Kernel extension for Microsoft Defender ATP
- In the Configuration Profiles, select + New.
- Enter the following details:General
- Name: MDATP MDAV Kernel Extension
- Description: MDATP kernel extension (kext)
- Category: None
- Distribution Method: Install Automatically
- Level: Computer Level
- In Configure Approved Kernel Extensions select Configure.
- In Approved Kernel Extensions Enter the following details:
- Display Name: Microsoft Corp.
- Team ID: UBF8T346G9
- Select the Scope tab.
- Select + Add.
- Select Computer Groups > under Group Name > select Contoso's Machine Group.
- Select + Add.
- Select Save.
- Select Done.
Step 8: Approve System extensions for Microsoft Defender ATP
- In the Configuration Profiles, select + New.
- Enter the following details:General
- Name: MDATP MDAV System Extensions
- Description: MDATP system extensions
- Category: None
- Distribution Method: Install Automatically
- Level: Computer Level
- In System Extensions select Configure.
- In System Extensions enter the following details:
- Display Name: Microsoft Corp. System Extensions
- System Extension Types: Allowed System Extensions
- Team Identifier: UBF8T346G9
- Allowed System Extensions:
- com.microsoft.wdav.epsext
- com.microsoft.wdav.netext
- Select the Scope tab.
- Select + Add.
- Select Computer Groups > under Group Name > select Contoso's Machine Group.
- Select + Add.
- Select Save.
- Select Done.
Step 9: Configure Network Extension
As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.
Note
JAMF doesn’t have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed.As such, the following steps provide a workaround that involve signing the configuration profile.
- Download
netfilter.mobileconfig
from our GitHub repository to your device and save it ascom.microsoft.network-extension.mobileconfig
- Follow the instructions on this page to create a signing certificate using JAMF’s built-in certificate authority
- After the certificate is created and installed to your device, run the following command from the Terminal from a macOS device:
- From the JAMF portal, navigate to Configuration Profiles and click the Upload button.
- Select Choose File and select
microsoft.network-extension.signed.mobileconfig
. - Select Upload.
- After uploading the file, you are redirected to a new page to finalize the creation of this profile.
- Select the Scope tab.
- Select + Add.
- Select Computer Groups > under Group Name > select Contoso's Machine Group.
- Select + Add.
- Select Save.
- Select Done.
Step 10: Schedule scans with Microsoft Defender ATP for Mac
Follow the instructions on Schedule scans with Microsoft Defender ATP for Mac.
Step 11: Deploy Microsoft Defender ATP for macOS
- Navigate to where you saved
wdav.pkg
. - Rename it to
wdav_MDM_Contoso_200329.pkg
. - Open the Jamf Pro dashboard.
- Navigate to Advanced Computer Searches.
- Select Computer Management.
- In Packages, select + New.
- In New Package Enter the following details:General tab
- Display Name: Leave it blank for now. Because it will be reset when you choose your pkg.
- Category: None (default)
- Filename: Choose File
Open the file and point it towdav.pkg
orwdav_MDM_Contoso_200329.pkg
. - Select Open. Set the Display Name to Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus.Options tab
Keep default values.Limitations tab
Keep default values. - Select Save. The package is uploaded to Jamf Pro.It can take a few minutes for the package to be available for deployment.
- Navigate to the Policies page.
- Select + New to create a new policy.
- In General Enter the following details:
- Display name: MDATP Onboarding Contoso 200329 v100.86.92 or later
- Select Recurring Check-in.
- Select Save.
- Select Packages > Configure.
- Select the Add button next to Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus.
- Select Save.
- Select the Scope tab.
- Select the target computers.ScopeSelect Add.Self-Service
- Select Done.
The Jamf Self Service for iOS settings allow you to do the following:
- Install or uninstall Self Service on managed mobile devices.
- Require or allow users to log in to Self Service with an LDAP directory account or Jamf Pro user account.
To require or allow users to log in using an LDAP account or Jamf Pro user account, you must have an LDAP server set up in Jamf Pro or you must create a Jamf Pro user account for that user. For more information, see Integrating with LDAP Directory Services or Jamf Pro User Accounts and Groups. - Display in-house app updates in Self Service.
The Self Service app can be automatically installed on all managed mobile devices with iOS 7 or later except Apple TV devices and personally owned devices.
Starting with Self Service 10.10.1, you can manually install the Self Service app on personally owned devices with iOS 13 or later, or iPadOS 13 or later that were enrolled using User Enrollment.
Note: If you do not want users to be prompted to enter an Apple ID when Self Service is being installed on their device, you must distribute Self Service using device-based volume assignment. For more information, see Understanding App Distribution Methods.
Self Service can run on mobile devices with iOS 7 or later that are managed by Jamf Pro 9.4 or later. The latest version of the Self Service app available in the App Store requires devices with iOS 11 or later, or iPadOS 13 or later.
If Self Service is configured to install automatically, devices in your environment will install the version of the Self Service app that is compatible with the device's iOS version:
iOS Version | iPadOS Version | Self Service Version Installed |
iOS 11 or later | iPadOS 13 or later | Latest version |
iOS 10 | Self Service 10.9.1 | |
iOS 8 or 9 | Self Service 10.4.0 | |
iOS 7 | Self Service 9.98.1 |
Note: For manual installations, devices with iOS 11 or later must use Self Service 9.101.0 or later. Earlier versions of Self Service will not work on devices with iOS 11 or later.
Jamf Self Service Download Mac Os
- Log in to Jamf Pro.
- In the top-right corner of the page, click Settings .
- Click Self Service.
- Click iOS .
- Click Edit .
- Select 'Automatically install Self Service app' from the Installation Method pop-up menu.
- (Optional) Click the App Options tab and configure the User Login setting.
- Click Save .
Users are prompted to install the app from the App Store the next time the device checks in with Jamf Pro. Users are also prompted to install the app from the App Store on mobile devices as they are newly enrolled.
- Log in to Jamf Pro.
- In the top-right corner of the page, click Settings .
- Click Self Service.
- Click iOS .
- Click Edit .
- On the General pane, choose 'Manually install Self Service app' from the Installation Methodpop-up menu.
- (Optional) Click the App Options tab and configure the preferences as needed.
- Click Save .
- Click Devices at the top of the page.
- Click Mobile Device Apps.
- Click New .
- Select App Store app and click Next.
- Add Jamf Self Service from the App Store catalog.
- On the General pane, select 'Install Automatically/Prompt Users to Install' from the Distribution Method pop-up menu, and configure any additional settings.
- Click the Scope tab and configure the scope of the app.
- On the App Configuration tab, add the following lines to the Preferences field:
<dict>
<key>INVITATION_STRING</key>
<string>$MOBILEDEVICEAPPINVITE</string>
<key>JSS_ID</key>
<string>$JSSID</string>
<key>SERIAL_NUMBER</key>
<string>$SERIALNUMBER</string>
<key>DEVICE_NAME</key>
<string>$DEVICENAME</string>
<key>MAC_ADDRESS</key>
<string>$MACADDRESS</string>
<key>UDID</key>
<string>$UDID</string>
<key>JSS_URL</key>
<string>$JPS_URL</string>
</dict>Important: To install Self Service Self Service 10.10.1 or later on personally owned devices with iOS 13 or later or iPadOS 13 or later that were enrolled using User Enrollment, include the following in the app configuration:<key>MANAGEMENT_ID</key><string>$MANAGEMENTID</string> - Click Save .
Jamf Self Service Download Mac Installer
Self Service is distributed to mobile devices in the scope the next time they check in with Jamf Pro.
Jamf Self Service Application
If you did not distribute the Self Service app using device-based volume assignment, users may be prompted to enter an Apple ID before Self Service installs on their device.
On devices with iOS 10.x or earlier, users are prompted to download an older version of the Self Service app. The user must tap Download to install the last compatible version of the Self Service app. For more information on the Self Service levels of compatibility, see Requirements.