Microsoft Defender for Endpoint’s Tamper Protection in macOS has entered general availability.
The update is important for administrators having to deal with Apple hardware while also keeping everything secure. It represents one more layer of protection and prevents the unauthorized removal of Microsoft Defender for Endpoint on macOS.
It also prevents tampering with files, process and configuration settings for Defender for Endpoint, and applies at device level.
By default, the feature will roll out with audit mode enabled, meaning actions to uninstall the agent will be logged, as will the deletion/renaming/modification of Defender for Endpoint files and the creation of new files under Defender for Endpoint installation locations.
Alerts, however, are not raised in the Security Center while in audit mode. Instead, administrators must look for signals either in on-device logs or via Advanced Hunting. The thinking is that administrators can use audit mode to get a sense for how the new feature works before switching to block mode where tampering attempts are blocked and alerts are raised.
“Later this year, we will offer a gradual rollout mechanism that will automatically switch endpoints to block mode,” said Microsoft, although the mechanism will only apply if users have not specifically made a choice to either disable the capability or already switched on block mode.
It’s a useful update, and can be enabled using a MDM solution (we’re sure Microsoft would be ever so pleased if people used Endpoint Manager, but something like Jamf Pro would work just as well). It can also be turned off completely if required.
Supported macOS versions are Monterey (12), Big Sur (11), and Catalina (10.15+), and version 101.70.19 or above of Microsoft Defender for Endpoint is needed. It is also highly recommended that System Integrity Protection (SIP) be enabled. The latter is part of macOS and usually only disabled by developers in order to tinker with low-level code. Unsurprisingly, Apple’s documentation on the subject is festooned with dire warnings regarding its disabling.
The functionality has been a while coming as far as the Microsoft world is concerned – with the preview out in May – and closes off another route by which organizations can be attacked.
Some users might grumble at yet more locking down of their devices when block mode is enabled, but an initial look at audit mode will help administrators spot problems before the security hammer comes down. ®