Intune Kernel extensions settings cannot be applied to Mac with Apple M1 - Results in failure #7
Comments
|
Thanks for your updates @maximvelichko ! I'll close this ticket, the changes you did allows us to use the profiles without the kext now for M1. |
|
Hi Patrick,
Glad to hear it helped!
One question - how did you discovered that combined profile, from the
documentation, or by browsing the mdatp-xplat repository?
(I thought that our documentation must be updated, but could not find any
reference to this combined profile anywhere. If there is no references
indeed, then I don't need to take care of an update)
…-Max
On Thu, Apr 1, 2021 at 7:10 AM Patrick Monfette ***@***.***> wrote:
Closed #7 <#7>.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#7 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADEAPDOYOYRDPZNBGDTWAC3TGR5GBANCNFSM42AOELGA>
.
|
|
hehe, good question ! I don't remember exactly, it was a few months ago... I was googling to try to find better ways to merge all the profiles, settings, etc for ATP to make it simpler in Intune and also show only 1 profile in MacOS profiles so it is more clear in regards to all settings pushed from intune to MacOS. I was pushing multiple profiles before that and it was a bit messy. I was probably searching something like mdatp and UBF8T346G9 or something similar and ended up finding one of the files on github indexed on google like this one
And from that, I checked the other files in this repository and found the combined file which was exactly what I was looking for. I'm pretty sure I did not find this through 365 Docs directly. I remember I was trying to fix a few things that the 365 Docs for ATP/MacOS wasn't covering/explaining properly and ended up digging for more informations and to better understand how this worked. I think I was trying to fix issues related to Big Sur and systems extension + full disk access. The 365 Docs are better covering this now since a few weeks/months but were missing some infos earlier on during Big Sur beta while Defender ATP wasn't 100% compatible with it already. Now they go along very well, except the need to exclude Timemachine folders and the network disk associated with it or else MacOS completely freeze, crash, etc... during TimeMachine backups/local snapshots updates. |
https://github.com/MicrosoftDocs/microsoft-365-docs/issues/4557
https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-kernel-extensions-on-macs-running-apple-silicon-are/ba-p/2238727
https://support.apple.com/en-us/HT211860#silicon
The combined MacOS profile cannot be applied because of the above. I think it may be a good idea to either mention it in the readme, or create another profile for Apple Silicon devices only or remove the kernel extensions configs altogether if this is not required by Defender ATP anymore but maybe some people still use Defender ATP with kernel extensions and old MacOS version and they may still require the kernel extensions configs, that's why I did not simply did a pull request removing the kernel extensions config instead of opening an Issue to decide how to handle it.
I'll let you decide how this should be approached/fixed for Apple Silicon devices under Intune management. Else it prevents the profile from being loaded and applied and thus ATP doesn't run properly (no rights, configs, etc...)
On my side, since we run the latest Defender ATP and we also only run Big Sur, I simply removed the kernel extensions from the combined profile and it fixed the issue.
The text was updated successfully, but these errors were encountered: