Extensions Configuration Profile– Implementing and Managing Endpoint Protection by Using Microsoft Defender for Endpoint

 2021-05-20
      No Comments
      Stacey Trowbridge

This profile enables settings for macOS 11 (Big Sur) and later. Earlier versions, such as macOS 10 (HighSierra), will ignore these settings. To create the configuration profile follow these steps:

  1. After returning to the Devices | Configuration profiles page, click Create profile.
  2. On the Create a profile flyout, under Platform, select macOS. Under Profile type, select Templates.
  3. Under Template name, select Extensions. Click Create.
  4. On the Basics tab, enter a name and description. Click Next.
  5. On the Configuration settings tab, expand System extensions.
  6. In the Allowed system extensions section, enter the following data:

Bundle Identifier Team Identifier
com.microsoft.wdav.epsext UBF8T346G9
com.microsoft.wdav.netext UBF8T346G9

Table 9.2 – Extension configuration settings

  1. Confirm the settings and click Next. See Figure 9.23:

Figure 9.23 – Extension configuration settings

  1. On the Assignments tab, under Included Groups, choose to add groups containing devices that will be in scope for the policy.
  2. On the Review + create tab, verify the settings and click Create.

Next, you’ll configure settings for disk access.

Full Disk Access Configuration Profile

  1. Full disk access and authorization are necessary for Intune and MDE to protect macOS devices. The configuration profile enables transparency, consent, and control (TCC) to grant full disk access to MDE. To create the configuration profile, follow these steps:
  2. Download the configuration file from https://raw.githubusercontent.com/ microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/ fulldisk.mobileconfig and save it to the temporary location where you stored the macOS onboarding package.
  3. On the Devices | Configuration profiles page in the Intune admin center (https://endpoint.microsoft.com), click Create profile.
  4. On the Create a profile flyout, under Platform, select macOS. Under Profile type, select Templates and then choose Custom. Click Next.
  5. On the Basics tab, enter a name and description and click Next.
  6. On the Configuration settings tab, enter a custom configuration profile name to identify this configuration.
  7. Under Deployment channel, select Device channel.
  8. Under Configuration profile name, click the folder icon and browse to the folder containing the downloaded configuration file. Select the fulldisk.mobileconfig file and click Next.
  9. On the Assignments tab, under Included Groups, choose to add groups containing devices that will be in scope for the policy.
  10. On the Review + create tab, verify the settings and click Create.

Next, you’ll create a configuration profile for managing the device’s network traffic from an EDR perspective.