Skip to main content
Red Canary help

Install and uninstall the Microsoft Defender for Endpoint sensor on MacOS

  • Updated .

Configure the necessary network connectivity

Prior to deploying the sensor, please ensure you have accounted for the following:

Microsoft Defender for Endpoint communicates with the Microsoft Azure cloud using bidirectionally authenticated Transport Layer Security (TLS) via port 443. All communications are outbound, sensor-to-server.

Microsoft 365 Defender is built on Azure cloud, deployed in the following regions:

  • uswestcentral
  • useast2
  • useast
  • europenorth
  • europewest
  • uksouth
  • ukwest

You can find more information in Microsoft Azure Datacenter IP Ranges on Microsoft. 

Be sure that this address is authorized at network egress points and that traffic is not subject to manipulation or TLS interception.

Install Microsoft Defender for Endpoint

To install the Defender for Endpoint sensor, you will need access to the Microsoft Defender portal to onboard any of the supported devices. 

  1. In Red Canary, click Defender to navigate to the Microsoft Defender Security Center.
  2. Click SettingsDevice Management, and then Onboarding.
  3. Click Select operating system to start onboarding processmacOS.
  4. Select a deployment method, and then click Download Package.
  5. Onboard your devices by running the package you downloaded.
  6. Follow the "Run a detection test" instructions to verify that the device is properly onboarded. If successful, a new alert will appear in a few minutes.

Uninstall Microsoft Defender for Endpoint 

  1. In Red Canary, click Defender to navigate to the Microsoft Defender Security Center.
  2. Click SettingsDevice Management, and then Offboarding.
  3. Select MacOS, and then Local Script
  4. Enable “root” user. For more information, see How to enable the root user on your Mac or change your root password in Apple Support.
  5. Click on Spotlight, type Terminal, and then press Enter
  6. Navigate to the Downloads folder.
  7. Execute the following commands (replacing the x’s with the proper values for the downloaded package):
     
    unzip WindowsDefenderATPOffboardingPackage_valid_until_xxxxxx-xx.zip

    python MicrosoftDefenderATPOffboardingMacOs_valid_until_xxxx-xx-xx.py
  8. Enter the password generated when you enabled the root user. 

The script will uninstall the Defender ATP agent from macOS. 

 

Comments

0 comments

Please sign in to leave a comment.