Browse all topics
All guidesGlossary
Microsoft Defender (Security)

Defender for Endpoint on macOS

Deploying and managing Microsoft Defender for Endpoint on Mac fleets via Intune.

Microsoft Defender for Endpoint on macOS is full-featured EDR for Mac — real-time antivirus, EDR, attack surface reduction, network protection, web protection, and content filtering — feeding into the same Defender XDR portal as Windows and Linux endpoints. For Microsoft 365 customers with Mac fleets, it's the natural antivirus / EDR choice.

What's included

  • Microsoft Defender Antivirus — real-time scanning, cloud-delivered protection.
  • Endpoint detection and response — behavioural detections, alerts, automated investigation.
  • Web content filtering — block categories of websites, malicious URLs.
  • Network protection — block connections to malicious destinations.
  • Threat and Vulnerability Management (TVM) — Mac-side vulnerability inventory.
  • Device control for removable media.
  • Tamper protection to prevent local disabling.

Deployment

The typical path on Intune-managed Macs:

  1. Add Defender for Endpoint as an app in Intune from the first-class app type.
  2. Push system extensions via configuration profile — Defender requires kernel-level (system extension) access to function.
  3. Approve in macOS Privacy Preferences — Full Disk Access, Background Execution, Network Filter. These are pre-approved via configuration profile so users don't see prompts.
  4. Configure DEP settings — onboarding script linking the Mac to your Defender XDR tenant.
  5. Configuration profile for Defender preferences — real-time protection on, exclusions if any, scheduled scans.

Once onboarded, the device appears in Defender XDR portal → Devices alongside Windows endpoints.

Configuration profile keys

A few important keys you'll set via the Mac configuration profile:

  • realTimeProtectiontrue. Real-time scanning enabled.
  • cloudService.enabledtrue. Cloud-delivered protection.
  • cloudService.automaticSampleSubmissionsafe. Allow safe-sample submission.
  • tamperProtection.enforcementLevelblock. Tamper protection on, can't be locally disabled.
  • networkProtection.enforcementLevelblock. Network protection active.
  • features.behavioralProtectionenabled. Behavioural detections.

Compliance and Conditional Access

The endpoint's Defender risk score feeds Intune compliance which feeds Entra ID Conditional Access — same model as Windows. A non-compliant Mac (risk too high, AV disabled, OS too old) is blocked from Microsoft 365 by the standard CA policy.

What's different from Windows Defender for Endpoint

  • No ASR rules in the same form — Mac has its own equivalent set of behavioural protections.
  • System extensions require explicit user / IT approval the first time they run; configuration profiles pre-approve them.
  • Performance impact is generally smaller than on Windows due to macOS's process model — but always test on a representative Mac before broad rollout.

Common pitfalls

  • Missing configuration profile approvals — Defender silently fails to load if Full Disk Access isn't granted.
  • Conflict with third-party AV — uninstall any pre-existing third-party AV before Defender installation; running two AVs causes performance issues.
  • macOS minor version compatibility — newer macOS releases sometimes ship with API changes that affect Defender; keep both Defender and macOS reasonably current.
  • Apple Silicon (M-series) is fully supported and runs Defender natively.

For organisations migrating from Mac-specific AVs (Sophos, Norton, Symantec) to Defender for Endpoint, the experience is genuinely competitive — feature parity with the Windows side is now strong, and the unified Defender XDR experience is the same regardless of OS.