Microsoft has announced that Tamper Protection is now generally available for Defender for Endpoint customers on macOS devices. The new feature prevents malicious software and unauthorized users from modifying security settings that might put a system at risk.
With Tamper Protection enabled, third-party apps won’t be able to uninstall Microsoft Defender for EndPoint from Mac machines. The feature also helps to protect important security files, configuration settings, and processes.
“Tamper protection brings an additional layer of protection in Microsoft Defender for Endpoint to elevate the endpoint security posture of organizations. Reliably securing endpoints is crucial for any organization. Enhanced tamper resilience across prevalent platforms is a great advantage for organizations seeking to continuously enhance their endpoint security,” the company explained.
Organizations can configure Tamper Protection on macOS devices manually or via Microsoft Intune. Once it has been set up, Microsoft Defender for EndPoint monitors tamper attempts and creates event logs to alert IT admins about potential security threats.
Microsoft notes that Tamper Protection ships with audit mode enabled by default, and it’s up to the IT admins to disable it in their tenants. The audit mode will log tampering operations such as the creation, deletion, renaming, and modification of files. In audit mode, administrators will be able to view Tamper Protection signals in local on-device logs or via Advanced Hunting.
Moreover, users can run the “mdatp health” command in order to check the status of the feature on their Mac devices. The value will either be set to “audit,” “block,” or disabled in the “tamper_protection” field.
Microsoft plans to release an update that will automatically switch endpoints to “block” mode later this year. However, this change will only apply to customers who have not manually enabled or disabled block mode.
The Tamper Protection feature will be enabled for all customers in a staggered manner over the next few weeks. This capability is available for devices running Microsoft Defender for Endpoint for macOS version 101.75.90 or later. We invite you to check out this support page for more details.