News, news analysis, and commentary on the latest trends in cybersecurity technology.

Microsoft Rolls Out Tamper Protection for Macs

The new feature detects attempts to modify files and processes for Microsoft Defender for Endpoints on macOS.

Dark Reading Staff, Dark Reading

August 17, 2022

1 Min Read
an open silver macbook pro laptop
Source: Africa Studio via Alamy Stock Photo

Microsoft has announced general availability of tamper protection in Microsoft Defender for Endpoint on macOS. The feature, which has been in public preview since May, will be rolling out over the next few days.

Tamper protection allows administrators who deal with Apple hardware in their environments to block the unauthorized removal of Microsoft Defender for Endpoint on macOS systems, as well as prevent any attempts to tamper with Microsoft Defender for Endpoint files, processes, and configuration settings. The feature elevates the organization’s endpoint security posture, Microsoft said in a post on the Microsoft Tech Community.

“Enhanced tamper resilience across prevalent platforms is a great advantage for organizations seeking to continuously enhance their endpoint security,” the company said.

Tamper protection is a device-level setting, which means the protection will apply to all users on the device. Available settings are “disabled,” “audit,” and “block.” By default, Microsoft Defender for Endpoint on macOS will have Tamper protection set to “audit,” so actions to uninstall the agent, modify Microsoft Defender files, or creating new files in the location where Microsoft Defender is installed will be logged automatically. However, administrators will not see any alerts in the Security Center – they will need to check either on-device logs or under the Advanced Hunting feature.

Tamper protection needs to be switched to “block” in order for administrators to see alerts and for tampering activities to be blocked. The company says a future rollout will automatically switch settings so that “block” becomes the default setting.

Administrators can enable the feature using a mobile device management platform, such as Endpoint Manager or Jamf. Tamper protection is available only for Microsoft Defender for Endpoint version 101.70.19 or above and on macOS versions Monterey, Big Sur, and Catalina.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights