Microsoft Rolls Out Tamper Protection for Macs

Microsoft has announced general availability of tamper protection in Microsoft Defender for Endpoint on macOS. The feature, which has been in public preview since May, will be rolling out over the next few days.

Tamper protection allows administrators who deal with Apple hardware in their environments to block the unauthorized removal of Microsoft Defender for Endpoint on macOS systems, as well as prevent any attempts to tamper with Microsoft Defender for Endpoint files, processes, and configuration settings. The feature elevates the organization’s endpoint security posture, Microsoft said in a post on the Microsoft Tech Community.

“Enhanced tamper resilience across prevalent platforms is a great advantage for organizations seeking to continuously enhance their endpoint security,” the company said.

Tamper protection is a device-level setting, which means the protection will apply to all users on the device. Available settings are “disabled,” “audit,” and “block.” By default, Microsoft Defender for Endpoint on macOS will have Tamper protection set to “audit,” so actions to uninstall the agent, modify Microsoft Defender files, or creating new files in the location where Microsoft Defender is installed will be logged automatically. However, administrators will not see any alerts in the Security Center – they will need to check either on-device logs or under the Advanced Hunting feature.

Tamper protection needs to be switched to “block” in order for administrators to see alerts and for tampering activities to be blocked. The company says a future rollout will automatically switch settings so that “block” becomes the default setting.

Administrators can enable the feature using a mobile device management platform, such as Endpoint Manager or Jamf. Tamper protection is available only for Microsoft Defender for Endpoint version 101.70.19 or above and on macOS versions Monterey, Big Sur, and Catalina.