Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article lists the prerequisites for installing and configuring Microsoft Defender for Endpoint on macOS. It also includes links to additional resources for more information.
Important
If you want to run multiple security solutions side by side, see Considerations for performance, configuration, and support.
You might have already configured mutual security exclusions for devices onboarded to Microsoft Defender for Endpoint. If you still need to set mutual exclusions to avoid conflicts, see Add Microsoft Defender for Endpoint to the exclusion list for your existing solution.
Prerequisites, installation, and configuration instructions
Prerequisites
- A Defender for Endpoint subscription and access to the Microsoft Defender portal
- Beginner-level experience in macOS and BASH scripting
- For manual deployments, administrative privileges on the device
- For enterprise deployments, a Mobile Device Management (MDM) solution such as Microsoft Intune
- Network connectivity to the Microsoft Defender for Endpoint service.
System requirements
These three most recent major releases of macOS are supported:
- 26 (Tahoe)
- 15.0.1 (Sequoia)
- 14 (Sonoma)
Note
Beta versions of macOS aren't supported, but new releases of macOS are supported from day 1.
- Supported processors: x64 and ARM64
- Disk space: 1 GB
Caution
We recommend that you keep System Integrity Protection (SIP) enabled on client devices. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default.
System extensions
Microsoft Defender for Endpoint on macOS uses two system extensions:
| Extension | Function |
|---|---|
| Endpoint Security Extension (com.microsoft.wdav.epsext) | Real-time protection—monitors file, process, and system events |
| Network Extension (com.microsoft.wdav.netext) | Network content inspection—enables Network Protection, Web Content Filtering, and custom indicators |
Starting with macOS Big Sur (11), system extensions require explicit approval before they can run. During manual installation, macOS prompts you to approve the extensions in System Settings > Privacy & Security. For enterprise deployments, you can preapprove these extensions using MDM configuration profiles.
For installation instructions, see your deployment method:
For troubleshooting, see Troubleshoot system extension issues.
Enterprise deployment requirements
There are several methods and deployment tools that you can use to centrally install and configure Defender for Endpoint on macOS across your devices:
Non-Microsoft management tools:
Manual deployment requirements
You can also configure Defender for Endpoint on macOS locally
- Command-line tool: Manual deployment
Licensing requirements
Microsoft Defender for Endpoint on macOS requires one of the following Microsoft Volume Licensing offers:
- Microsoft 365 E5
- Microsoft Defender Suite
- Microsoft 365 A5
- Windows 10 Enterprise E5
- Microsoft 365 Business Premium
- Windows 11 Enterprise E5
- Microsoft Defender for Endpoint P2 (included in Microsoft 365 E5 and E5 Security)
- Microsoft Defender for Endpoint P1 (included in Microsoft 365 E3)
Note
Licensed users can use Microsoft Defender for Endpoint on up to five concurrent devices. Microsoft Defender for Endpoint is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it doesn't require Microsoft Volume Licensing offers listed.
Network connectivity
Ensure that your devices can connect to Microsoft Defender for Endpoint cloud services. To prepare your environment, see STEP 1: Configure your network environment to ensure connectivity with Defender for Endpoint service.
Microsoft Defender for Endpoint can connect through a proxy server by using the following methods:
- Proxy autoconfig (PAC)
- Web Proxy Autodiscovery Protocol (WPAD)
- Manual static proxy configuration
If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs.
Warning
Authenticated proxies aren't supported. Ensure that only PAC, WPAD, or a static proxy is being used. For security reasons, SSL inspection and intercepting proxies aren't supported. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender for Endpoint on macOS to the relevant URLs without interception. Adding your interception certificate to the global store doesn't allow for interception.
Next steps
Onboard client devices to Microsoft Defender for Endpoint
To onboard Microsoft Defender for Endpoint for macOS, complete the following steps:
- First, ensure that the device meets the system requirements and network connectivity requirements.
- Next, install the .pkg file containing the software.
- Next, install the required system extensions.
- Finally, onboard the device to Microsoft Defender for Endpoint.
For more information, see Onboard client devices running macOS to Microsoft Defender for Endpoint.
Test network connectivity
To test that a connection isn't blocked, open https://x.cp.wd.microsoft.com/api/report and https://cdn.x.cp.wd.microsoft.com/ping in a browser.
If you prefer the command line, you can also check the connection by running the following command in Terminal:
curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
The output from this command should be similar to the following:
OK https://x.cp.wd.microsoft.com/api/report
OK https://cdn.x.cp.wd.microsoft.com/ping
After you install Microsoft Defender for Endpoint, you can validate connectivity by running the following command in Terminal:
mdatp connectivity test
Related content
- For more information about logging, uninstalling, or other articles, see Resources for Microsoft Defender for Endpoint on macOS.
- Privacy for Microsoft Defender for Endpoint on macOS.