Browse all topics
Microsoft Defender (Security)

Defender for Endpoint on macOS

Av Emil Björk · Microsoft-ekosystemskonsult, Göteborg

Deploying and managing Microsoft Defender for Endpoint on Mac fleets via Intune.

Microsoft Defender for Endpoint on macOS is full-featured EDR for Mac — real-time antivirus, EDR, attack surface reduction, network protection, web protection, and content filtering — feeding into the same Defender XDR portal as Windows and Linux endpoints. For Microsoft 365 customers with Mac fleets, it's the natural antivirus / EDR choice.

What's included

  • Microsoft Defender Antivirus — real-time scanning, cloud-delivered protection.
  • Endpoint detection and response — behavioural detections, alerts, automated investigation.
  • Web content filtering — block categories of websites, malicious URLs.
  • Network protection — block connections to malicious destinations.
  • Threat and Vulnerability Management (TVM) — Mac-side vulnerability inventory.
  • Device control for removable media.
  • Tamper protection to prevent local disabling.

Deployment

The typical path on Intune-managed Macs:

  1. Add Defender for Endpoint as an app in Intune from the first-class app type.
  2. Push system extensions via configuration profile — Defender requires kernel-level (system extension) access to function.
  3. Approve in macOS Privacy Preferences — Full Disk Access, Background Execution, Network Filter. These are pre-approved via configuration profile so users don't see prompts.
  4. Configure DEP settings — onboarding script linking the Mac to your Defender XDR tenant.
  5. Configuration profile for Defender preferences — real-time protection on, exclusions if any, scheduled scans.

Once onboarded, the device appears in Defender XDR portal → Devices alongside Windows endpoints.

Configuration profile keys

A few important keys you'll set via the Mac configuration profile:

  • realTimeProtectiontrue. Real-time scanning enabled.
  • cloudService.enabledtrue. Cloud-delivered protection.
  • cloudService.automaticSampleSubmissionsafe. Allow safe-sample submission.
  • tamperProtection.enforcementLevelblock. Tamper protection on, can't be locally disabled.
  • networkProtection.enforcementLevelblock. Network protection active.
  • features.behavioralProtectionenabled. Behavioural detections.

Compliance and Conditional Access

The endpoint's Defender risk score feeds Intune compliance which feeds Entra ID Conditional Access — same model as Windows. A non-compliant Mac (risk too high, AV disabled, OS too old) is blocked from Microsoft 365 by the standard CA policy.

What's different from Windows Defender for Endpoint

  • No ASR rules in the same form — Mac has its own equivalent set of behavioural protections.
  • System extensions require explicit user / IT approval the first time they run; configuration profiles pre-approve them.
  • Performance impact is generally smaller than on Windows due to macOS's process model — but always test on a representative Mac before broad rollout.

Common pitfalls

  • Missing configuration profile approvals — Defender silently fails to load if Full Disk Access isn't granted.
  • Conflict with third-party AV — uninstall any pre-existing third-party AV before Defender installation; running two AVs causes performance issues.
  • macOS minor version compatibility — newer macOS releases sometimes ship with API changes that affect Defender; keep both Defender and macOS reasonably current.
  • Apple Silicon (M-series) is fully supported and runs Defender natively.

For organisations migrating from Mac-specific AVs (Sophos, Norton, Symantec) to Defender for Endpoint, the experience is genuinely competitive — feature parity with the Windows side is now strong, and the unified Defender XDR experience is the same regardless of OS.