178: Deploy MDM based policies for EDR/AV

Overview

Deploying MDM-based policies for Endpoint Detection and Response (EDR) and Antivirus (AV) on macOS devices using Microsoft Intune involves several steps. Here's a detailed overview:

Steps to Deploy MDM-Based Policies for EDR/AV on macOS

1. Prerequisites and System Requirements:

   • Ensure you have the necessary licenses for Microsoft Defender for Endpoint.
   • Verify that macOS devices meet the system requirements¹.

2. Create System Configuration Profiles:

   • In the Intune admin center, navigate to Devices > Configuration profiles.
   • Create profiles for system extensions, network extensions, full disk access, and other necessary configurations.

3. Approve System Extensions:

   • Go to Devices > Configuration profiles and create a new profile.
   • Select macOS as the platform and Extensions as the profile type.
   • Add the required system extensions.

4. Deploy Microsoft Defender for Endpoint:

   • Download the onboarding package from the Microsoft Defender Security Center.
   • Deploy the package using Intune by creating a new app and assigning it to the relevant device groups.

5. Configure EDR Policies:

   • In the Intune admin center, go to Endpoint security > Endpoint detection and response.
   • Create and configure EDR policies, including onboarding packages and other settings.

Benefits

• Enhanced Security: Provides advanced threat detection and response capabilities, improving overall security posture.
• Centralized Management: Simplifies the management of security policies across all macOS devices from a single console.
• Compliance: Helps ensure devices comply with organizational security policies and regulatory requirements.

Drawbacks

• Complexity: Initial setup and configuration can be complex and time-consuming.
• Resource Intensive: May require significant system resources, potentially impacting device performance.
• User Experience: Users might experience interruptions during the deployment and configuration process.

Impact on End Users

• Performance: Users might notice a slight decrease in performance due to the additional security processes running in the background.
• Notifications: Users will receive notifications related to security events and updates.
• Access Restrictions: Some applications or actions might be restricted based on the security policies applied.

Tying to Zero Trust

Deploying MDM-based policies for EDR/AV on macOS devices aligns with the Zero Trust security model by ensuring that:

• Continuous Verification: Every access request is continuously verified, regardless of where the request originates.
• Least Privilege Access: Users and devices are granted the minimum level of access necessary to perform their tasks.
• Assume Breach: The system is designed with the assumption that a breach has already occurred, ensuring robust detection and response mechanisms.

Reference

• Deploy Microsoft Defender for Endpoint on macOS with Microsoft Intune. https://learn.microsoft.com/en-us/defender-endpoint/mac-install-with-intune.
• Intune endpoint detection and response policy. | Microsoft Learn. https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-edr-policy.
• Deploy MDM based policies for EDR/AV | Zero Trust Assessment. https://microsoft.github.io/zerotrustassessment/docs/workshop-guidance/devices/RMD_178.
• Deployment guide to manage macOS devices in Microsoft Intune. https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-platform-macos.