Microsoft Defender for Mac - looking for feedback from those using it

Just went through a deployment of this last week, so I can't speak to long-term product use. I will say that their installation guide is very thorough but fairly easy to follow. The key that I found is to install the configuration profiles first, then the onboarding package, and finally the actual installation.

Well it depends on what you are looking for specifically?

But I much prefer it to McAfee
- doesn't seem to eat up resources in our environment
- native package (autoupdates and available from the macadmins portal no need to messaround with a script that deploys a package

Only negatives are that I have found is building out a lot of config profiles to support the system extensions and the components but past that it's fairly transparent in our environment, we hide the menu bar icon and the user does not see any prompts except the occasional MAU notification that says it was updated.

Compared to the PCs in our environment not many reports of vulnerabilities on the Mac, dont know if its accurate in not capturing those or that our fleets are generally not impacted.

just saw the other post, we deploy the config profiles during enrollment and prior to the package install, no prompts or user interaction and its fairly seamless deployment

We've been running Defender for some time now. and have used the Jamf deployment documentation that's on Microsoft's webpage and have no issues deployment. That is until Big Sur came out. Microsoft's documentation for Big Sur changed a number of things. I have noticed that those changes do not play nice with macOS 10.15 and lower for defender.
To piggyback on the post to ask and to help at the same time. What issues are people running into with Big Sur deployment of MS Defender?

@Just_Jack what issues are you facing? I am deploying the same profiles for Big Sur and redeployed them to existing 10.15 systems without issue. if you're removing the KEXTs then that might be an issue with non-Big Sur systems.

also the macadmins slack has a microsoft-defender channel that is a good resource

Thank you all for the feedback, I have also looked at the MS documentation and started setting up config profiles for the extensions etc, Im facing a kind of crescendo of stuff, a hardware refresh for the group that runs Macs, taking them to Apple silicone, and then also switching to MS defender on Big Sur, so i have a-lot of boxes to check for this to play nice. This refresh will be happening maybe by march of Next year most likely . This feedback is very helpful however.

Deployed Defender earlier this year, a lot has changed since then. Very happy with the level of threat protection and centralized reporting makes SecOps very happy. Be thankful you are doing it now, and not then.

Once you find the right balance of profiles and managed plists for your environ (read "test thoroughly") it is quite the nice solution.

We've been using Defender on Catalina for a little while now without any issues. I'm preparing it now for Big Sur but I'm having issues with the Network Extension policy.

Running the command below with my cert details gives me an error "security: could not find signing identity for name:"

$ security cms -S -N "SigningCertificate" -i ~/Documents/com.microsoft.network-extension.mobileconfig -o ~/Documents/com.microsoft.network-extension.signed.mobileconfig

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies

@walt I wanted to do more troubleshooting before I reply.
Going with MS docs here. https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies
These setting don't work for me in Big Sur. And Defender still shows a "need attention" message. One thing I did notice is that MS doc shows that the KEXT shows com.microsoft.wdav.epsext but JAMF PPPC application uses com.microsoft.wdav
Any thoughts?

I had some clients with issues when using DEP. They couldn´t boot up, crashed all the time - what I noticed is that when I removed ATP the issues where gone. But most clients work, but would gladly get rid of ATP and instead move to Jamf protect

I am trying to clean up a Defender deployment from a previous employee. With the differences in configuration files for 10.15.4 and above and 10.15.3 and below, I assume I would just scope these configs out by OS version. If a user were to update to Big Sur, from 10.15.3 and below, I guess the scoping would delete the previous installed configuration profiles and just push out the new? It would seem this employee scoped out the same configuration profiles for High Sierra thru Catalina. I guess, I need to pull these configurations off anything above 10.15.3 and apply the new batch. So just scoping by OS version should be fine. Am I over thinking this?

Hello. I cannot speak to the cleanup but our onboarding process based on Microsoft documentation has worked fantastic for Catalina > Monterey. The one thing is we have had issues with the packaged auto-updating successfully (noticed this in Monterey). I believe this was due to the ARM architecture. With a little love, a new package is deployed, not touching the onboarding and all is good to go for us. If you have access to the Microsoft 365 Defender portal you can get the new uninstaller and wdav.pkg and then do what you need to. so to answer your question the uninstaller posted on the 365 portal will work for all newer/ish macOS systems. (sorry to get off topic a bit)