Comprehensive guide to macOS Local MDE offboarding: executing the necessary commands to stop Agent functionality and validate that the Agent processes are no longer present on the machine.
Offboarding macOS Device from MDE Monitoring
- On the desired macOS Device that you wish to Offboard, access the Spotlight Search functionality, provide Terminal within the search field. Locate and select the utility to begin.
- Once the CLI session is initiated, we will execute the command below to disable the tamper protection security control that was enforced during the onboarding process, if this step is not completed prior to launching the next command it will fail during execution. We will need to execute this command with administrative privileges, you will need to fulfill the authentication prompt that is generated in the session.
Command
sudo mdatp config tamper-protection enforcement-level --value disable
- After the disablement of the security control, we will execute the command below to initiate the decommissioning of the MDE agent on the machine and severe the connection between the device and Microsoft Defender services. We will need to execute this command with administrative privileges, you will need to fulfill the authentication prompt that is generated in the session.
Command
sudo '/Library/Application Support/Microsoft/Defender/uninstall/uninstall'
- After the execution of the command above, we will proceed with supplying the following command to evaluate if the MDE agent still has proper security functionality enabled for communication to your Organizations Microsoft Defender portal.
Command
mdapt connectivity test
- Upon execution of the script, you will see values returned in the window below.
- Depending on the results there will be two different paths forward:
- If the command returns that the mdatp package is not found on the machine, the agent is no longer on the machine and the MDE offboarding process was successful. Next steps will be to access the defender portal and exclude the device manually from the system once the offboarding verification process has been executed successfully, this procedure can be found here.
- If the command returns a URL [OK] values related to the agent being able to connect to Microsoft Services tied to your organization, that means that the MDE agent has not been successfully removed and the machine is still currently being monitored by the MDE agent. This could be due to the steps outlined above not being conducted correctly, or the offboarding package gathered from the Defender portal having reached its expiration period. Next steps will require that an investigation of process breakdown be conducted prior to attempting a re-execution of the procedure.
- If the command returns that the mdatp package is not found on the machine, the agent is no longer on the machine and the MDE offboarding process was successful. Next steps will be to access the defender portal and exclude the device manually from the system once the offboarding verification process has been executed successfully, this procedure can be found here.
Need Assistance?
Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.