Skip to main content
Question

Jamf Pro with Microsoft Defender for Endpoint

  • May 29, 2025
  • 12 replies
  • 666 views

Forum|alt.badge.img+1

Hello,

We are in the process of setting up Microsoft Defender for Endpoint on our Mac devices using Jamf PRO. We have been successful in doing so using the documentation provided by Microsoft. However, we are running into a few issues. We are unable to get the 'Valid User' and 'Configuration Status' to populate. See pictures attached.

 

12 replies

AJPinto
Forum|alt.badge.img+26
  • Legendary Contributor
  • May 29, 2025

These are both Microsoft Defenders errors not Jamf errors, have you asked on technet or opened a case with Microsoft?

 

  • The Accessibility and Full Disk Access are TTC controls, make sure you have the correct Configuration Profiles deployed to enable that access for Defender. UPN likely requires Entra Device Registration but don't hold me to that.
  • Microsoft is pretty slow to add formal support for new builds of macOS. As dumb as it sounds test on an older version of macOS 15 like 15.2 and see if the behavior is the same.

Shyamsundar
Forum|alt.badge.img+13
  • Jamf Heroes
  • May 30, 2025

try running mdatp health command to check the status on the local Mac , Which will let you know whether the required information is correct on the local Mac


mvu
Forum|alt.badge.img+20
  • Jamf Heroes
  • May 30, 2025

try running mdatp health command to check the status on the local Mac , Which will let you know whether the required information is correct on the local Mac


What's been your experience with Windows Defender on Macs? Asking for a friend.


dletkeman
Forum|alt.badge.img+15
  • Jamf Heroes
  • May 30, 2025

I use Installomator to push out Microsoft Defender.  Though pushing out the application is pretty simplistic.

I have a config profile for Windows Defender Background Services for 2 Managed Login Items.

I also have a config profile called Windows Defender Onboarding that has an Application & Custom Settings, Content Filter, Notifications, Privacy Preferences Policy Control, and System Extensions payload.

As long as everything is set up ok on the Windows Defender side you shouldn't have any issues.


mvu
Forum|alt.badge.img+20
  • Jamf Heroes
  • May 30, 2025

I use Installomator to push out Microsoft Defender.  Though pushing out the application is pretty simplistic.

I have a config profile for Windows Defender Background Services for 2 Managed Login Items.

I also have a config profile called Windows Defender Onboarding that has an Application & Custom Settings, Content Filter, Notifications, Privacy Preferences Policy Control, and System Extensions payload.

As long as everything is set up ok on the Windows Defender side you shouldn't have any issues.


Set up sounds similar here. I'm testing it without the Content Filter cause we have other things taking care of that.

The one issue I saw was performance with Intel boxes. The fan ran at a crazy speed, and it did slow things down. Apple Silicon has no issues with this.

 

Apologies for hijacking the thread. @kylek 


dletkeman
Forum|alt.badge.img+15
  • Jamf Heroes
  • May 30, 2025

Set up sounds similar here. I'm testing it without the Content Filter cause we have other things taking care of that.

The one issue I saw was performance with Intel boxes. The fan ran at a crazy speed, and it did slow things down. Apple Silicon has no issues with this.

 

Apologies for hijacking the thread. @kylek 


We don't notice that issue currently.  But honestly it could be happening and no one has brought it up.  Not something we are actively monitoring.


Forum|alt.badge.img
  • New Contributor
  • June 1, 2025

It’s likely due to incomplete configuration. Make sure the required profiles, especially the WindowsDefenderATPOnboarding.plist, are properly deployed and visible in System Settings > Profiles. Confirm the presence of /Library/Managed Preferences/com.microsoft.wdav.plist files. Run mdatp health in Terminal to check onboarding status. Always deploy configuration profiles before installing the Defender app. Use smart groups in Jamf to target devices with correct configs. Also, ensure system extension approvals are in place. ADE enrollment is preferred over user-initiated to avoid missing permissions.


leonkaesmann
Forum|alt.badge.img+5
  • Jamf Heroes
  • June 2, 2025

We are facing the same issue. All profiles (except for Bluetooth because it doesn't work) are properly deployed, mdatp health says its healthy and the client also shows up in the Defender portal.

Did anyone find a solution to this yet?


mvu
Forum|alt.badge.img+20
  • Jamf Heroes
  • June 2, 2025

Got another dumb question for you guys ...

Is there nothing unique about the Microsoft Defender package you deploy? Is there a special onboarding configuration that you need to obtain from your tenant to enroll the Macs into your Defender tenant in the package you deploy?

I'm assuming this happens with the configuration profiles alongside the vanilla Defender package (thus you can use Installomator). But want to make sure.

Also, do you have to allocate a license in the Microsoft Defender tenant or create an extra Entra group for the macOS Defender users?


leonkaesmann
Forum|alt.badge.img+5
  • Jamf Heroes
  • June 2, 2025

Got another dumb question for you guys ...

Is there nothing unique about the Microsoft Defender package you deploy? Is there a special onboarding configuration that you need to obtain from your tenant to enroll the Macs into your Defender tenant in the package you deploy?

I'm assuming this happens with the configuration profiles alongside the vanilla Defender package (thus you can use Installomator). But want to make sure.

Also, do you have to allocate a license in the Microsoft Defender tenant or create an extra Entra group for the macOS Defender users?


https://learn.microsoft.com/en-us/defender-endpoint/mac-jamfpro-policies

At the start of this page, there are instructions to download the onboarding package and create a config profile with it.

Defender is licensed per user.


mvu
Forum|alt.badge.img+20
  • Jamf Heroes
  • June 2, 2025

https://learn.microsoft.com/en-us/defender-endpoint/mac-jamfpro-policies

At the start of this page, there are instructions to download the onboarding package and create a config profile with it.

Defender is licensed per user.


Got it, thanks sir.


CoconutHorse
  • New Contributor
  • November 17, 2025

The setup instructions for MDE with Jamf are incomplete and leave out the DLP/Purview bits that the Intune instructions have and lead to these errors. Grab the mobileconfigs from the Purview docs instead: Onboard and offboard macOS devices into Microsoft Purview solutions using JAMF Pro | Microsoft Learn 

This also bundles in four of the mobileconfigs so you don’t have to deploy them separately.