Here I am explaining to Install Windows ATP for the Mac OS through Intune MDM Solutions.

For doing that we need to download the Mac OS Onboarding package from the Security center portal.

https://secuirtycenter.windows.com

Access the Microsoft Defender Security Center and gather the installation and onboarding package

To deploy the installation package with Microsoft Intune we need the Intune app wrapping tool for macOS which is available here.

 

Now you should have these three files:

Microsoft Defender ATP source files

Please copy in one folder form the Mac Downloads folder.

Open a terminal and perform the following actions:

  • Make the IntuneAppUtil executable: chmod +x IntuneAppUtil
  • Generate the Intune deployment package: ./IntuneAppUtil -c wdav.pkg -o . -i “com.microsoft.wdav”
  • Unzip the onboarding package: unzip windowsDefenderATPOnboardingPackage.zip
  • we’ll need the files in the unzipped intune folder later

    When you have successfully completed the above steps, the file structure should look like this

Wrapped and unzipped Microsoft Defender ATP files

Intune portal configuration

In the Intune portal create a custom device configuration to deploy the Microsoft Defender ATP kext.xml (kernel extension). Upload the kext file from the previously extracted zip file which is located in the Intune folder. These kernel extensions will be loaded into the macOS operating system on boot for the Microsoft Defender ATP service.

For the actual onboarding of the macOS machine to your MDATP tenant we need the onboarding configuration “WindowsDefenderATPOnboarding.xml”  which contains encrypted tenant info.  You find the file also in the unzipped  package in the Intune folder. To deploy this file create another custom device configuration and upload the xml file.

To deploy the  Microsoft Defender ATP package create a new LOB (Line-of-business-app) and upload the wrapped *.intunemac file:

Provide the required app information and make sure to set the minimum operation system version to Sierra as mentioned in the prerequisites:

Please make sure that you assign both device configurations and the LOB app to your targeted Azure AD group.