Help

Jamf Pro with Microsoft Defender for Endpoint

kylek
New Contributor

Posted on ‎05-29-2025 12:19 PM

Hello,

We are in the process of setting up Microsoft Defender for Endpoint on our Mac devices using Jamf PRO. We have been successful in doing so using the documentation provided by Microsoft. However, we are running into a few issues. We are unable to get the 'Valid User' and 'Configuration Status' to populate. See pictures attached.

Screenshot 2025-05-29 121639.png 

Screenshot 2025-05-29 121634.png

0 Kudos
Reply
11 REPLIES 11

AJPinto
Esteemed Contributor

Posted on ‎05-29-2025 02:03 PM

These are both Microsoft Defenders errors not Jamf errors, have you asked on technet or opened a case with Microsoft?

 

  • The Accessibility and Full Disk Access are TTC controls, make sure you have the correct Configuration Profiles deployed to enable that access for Defender. UPN likely requires Entra Device Registration but don't hold me to that.
  • Microsoft is pretty slow to add formal support for new builds of macOS. As dumb as it sounds test on an older version of macOS 15 like 15.2 and see if the behavior is the same.
0 Kudos
Reply

Shyamsundar
Valued Contributor

Posted on ‎05-29-2025 10:27 PM

try running mdatp health command to check the status on the local Mac , Which will let you know whether the required information is correct on the local Mac

Reply

mvu
Valued Contributor III
In response to Shyamsundar

Posted on ‎05-30-2025 04:27 AM

What's been your experience with Windows Defender on Macs? Asking for a friend.

0 Kudos
Reply

dletkeman
Contributor III

Posted on ‎05-30-2025 08:04 AM

I use Installomator to push out Microsoft Defender.  Though pushing out the application is pretty simplistic.

I have a config profile for Windows Defender Background Services for 2 Managed Login Items.

I also have a config profile called Windows Defender Onboarding that has an Application & Custom Settings, Content Filter, Notifications, Privacy Preferences Policy Control, and System Extensions payload.

As long as everything is set up ok on the Windows Defender side you shouldn't have any issues.

0 Kudos
Reply

mvu
Valued Contributor III
In response to dletkeman

Posted on ‎05-30-2025 08:10 AM

Set up sounds similar here. I'm testing it without the Content Filter cause we have other things taking care of that.

The one issue I saw was performance with Intel boxes. The fan ran at a crazy speed, and it did slow things down. Apple Silicon has no issues with this.

 

Apologies for hijacking the thread. @kylek 

0 Kudos
Reply

dletkeman
Contributor III
In response to mvu

Posted on ‎05-30-2025 08:12 AM

We don't notice that issue currently.  But honestly it could be happening and no one has brought it up.  Not something we are actively monitoring.

0 Kudos
Reply

moisesa
New Contributor

Posted on ‎06-01-2025 11:40 AM

It’s likely due to incomplete configuration. Make sure the required profiles, especially the WindowsDefenderATPOnboarding.plist, are properly deployed and visible in System Settings > Profiles. Confirm the presence of /Library/Managed Preferences/com.microsoft.wdav.plist files. Run mdatp health in Terminal to check onboarding status. Always deploy configuration profiles before installing the Defender app. Use smart groups in Jamf to target devices with correct configs. Also, ensure system extension approvals are in place. ADE enrollment is preferred over user-initiated to avoid missing permissions.

Reply

LK
New Contributor III

Posted on ‎06-02-2025 05:13 AM

We are facing the same issue. All profiles (except for Bluetooth because it doesn't work) are properly deployed, mdatp health says its healthy and the client also shows up in the Defender portal.

Did anyone find a solution to this yet?

0 Kudos
Reply

mvu
Valued Contributor III

Posted on ‎06-02-2025 05:17 AM

Got another dumb question for you guys ...

Is there nothing unique about the Microsoft Defender package you deploy? Is there a special onboarding configuration that you need to obtain from your tenant to enroll the Macs into your Defender tenant in the package you deploy?

I'm assuming this happens with the configuration profiles alongside the vanilla Defender package (thus you can use Installomator). But want to make sure.

Also, do you have to allocate a license in the Microsoft Defender tenant or create an extra Entra group for the macOS Defender users?

0 Kudos
Reply

LK
New Contributor III
In response to mvu

Posted on ‎06-02-2025 05:30 AM

https://learn.microsoft.com/en-us/defender-endpoint/mac-jamfpro-policies

At the start of this page, there are instructions to download the onboarding package and create a config profile with it.

Defender is licensed per user.

Reply

mvu
Valued Contributor III
In response to LK

Posted on ‎06-02-2025 05:38 AM

Got it, thanks sir.

0 Kudos
Reply