Merge pull request #1340 from YongRhee-MSFT/docs-editor/mac-resources-1726186394

denisebmsft · web-flow · commit 47f60db87e02 · 2024-09-13T14:44:02.000-07:00
Update mac-resources.md
diff --git a/defender-endpoint/mac-resources.md b/defender-endpoint/mac-resources.md
@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: macos
 search.appverid: met150
-ms.date: 05/17/2024
+ms.date: 09/13/2024
 ---
 
 # Resources for Microsoft Defender for Endpoint on macOS
@@ -74,16 +74,7 @@ If an error occurs during installation, the installer reports a general failure
 
 For further troubleshooting installation issues, see [Troubleshoot installation issues for Microsoft Defender for Endpoint on macOS](mac-support-install.md).
 
-## Uninstalling
-
-> [!NOTE]
-> Before uninstalling Microsoft Defender for Endpoint on macOS, offboard each device per [Offboard non-Windows devices](configure-endpoints-non-windows.md).
-
-There are several ways to uninstall Microsoft Defender for Endpoint on macOS. Although centrally managed uninstallation is available on JAMF, it's not yet available for Microsoft Intune.
-
-### Interactive uninstallation
-
-- Open **Finder > Applications**. Right click on **Microsoft Defender for Endpoint**, and then select **Move to Trash**.
+## Configuring from the command line
 
 ### Supported output types
 
@@ -93,28 +84,6 @@ Supports table and JSON format output types. For each command, there's a default
 
 `-output table`
 
-### From the command line
-
-- `sudo '/Library/Application Support/Microsoft/Defender/uninstall/uninstall'`
-
-### Using JAMF Pro
-
-To uninstall Microsoft Defender for Endpoint on macOS using JAMF Pro upload the offboarding profile. 
-
-The offboarding profile should be uploaded without any modifications, and with Preference Domain name set to `com.microsoft.wdav.atp.offboarding`, as shown in the following image:
-
-   :::image type="content" source="/defender/media/defender-endpoint/jamf-pro-offboarding.png" alt-text="Screenshot of the JAMF offboarding screen" lightbox="/defender/media/defender-endpoint/jamf-pro-offboarding.png":::
-
-
-> [!NOTE]
-> If you have trouble uninstalling Defender for Endpoint on Mac, and you see in your reports an item for *Microsoft Defender Endpoint Security Extension*, follow these steps:
-> 1. Reinstall the Microsoft Defender app.
-> 2. Drag **Microsoft Defender.app** to **Trash**.
-> 3. Run this command: `sudo /Library/Application Support/Microsoft/Defender/uninstall/install_helper execute --path '/Library/Application Support/Microsoft/Defender/uninstall/uninstall' --args --post-uninstall-hook`.
-> 4. Restart the device.
-
-## Configuring from the command line
-
 Important tasks, such as controlling product settings and triggering on-demand scans, can be done by using the command line:
 
 |Group|Scenario|Command|
@@ -201,10 +170,57 @@ To enable autocompletion in zsh:
 
 `/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds are shown with `mdatp threat list`.
 
-## Microsoft Defender for Endpoint portal information
+## Uninstalling
+
+There are several ways to uninstall Microsoft Defender for Endpoint on macOS. Although centrally managed uninstallation is available on JAMF, it's not yet available for Microsoft Intune.
+
+All of the uninstall of Microsoft Defender for Endpoint on macOS require the following:
+
+1. Create a [device tag](/defender-endpoint/machine-tags), and name the tag *decommissioned* and assign it to the macOS where Microsoft Defender for macOS is being uninstalled.
+
+1. Create a [Device group](/defender-endpoint/machine-groups) and name it (e.g. *Decommissioned macOS*) and assign a user *group* that should be able to see them.
+
+   Note: Steps 1 and 2 are optional if you do not want to see these devices that are retired in the "Device inventory" for 180 days.
+   
+1. Remove the "Set Preferences" policies that contain [Tamper Protection](/defender-endpoint/tamperprotection-macos) or through the manual configuration.
+
+1. Offboard each device per [Offboard non-Windows devices](configure-endpoints-non-windows.md).
+
+1. Uninstall the Microsoft Defender for Endpoint for macOS apps
+
+1. Remove the device from the *group* for *system extension* policies if an MDM was used to set them.
+
+### Interactive uninstallation
+
+- Open **Finder > Applications**. Right click on **Microsoft Defender for Endpoint**, and then select **Move to Trash**.
+
+### From the command line
+
+- `sudo '/Library/Application Support/Microsoft/Defender/uninstall/uninstall'`
+
+### Using JAMF Pro
+
+To uninstall Microsoft Defender for Endpoint on macOS using JAMF Pro upload the offboarding profile. 
+
+The offboarding profile should be uploaded without any modifications, and with Preference Domain name set to `com.microsoft.wdav.atp.offboarding`, as shown in the following image:
+
+   :::image type="content" source="/defender/media/defender-endpoint/jamf-pro-offboarding.png" alt-text="Screenshot of the JAMF offboarding screen" lightbox="/defender/media/defender-endpoint/jamf-pro-offboarding.png":::
+
+
+> [!NOTE]
+> If you have trouble uninstalling Defender for Endpoint on Mac, and you see in your reports an item for *Microsoft Defender Endpoint Security Extension*, follow these steps:
+> 1. Reinstall the Microsoft Defender app.
+> 2. Drag **Microsoft Defender.app** to **Trash**.
+> 3. Run this command: `sudo /Library/Application Support/Microsoft/Defender/uninstall/install_helper execute --path '/Library/Application Support/Microsoft/Defender/uninstall/uninstall' --args --post-uninstall-hook`.
+> 4. Restart the device.
+
+## The Microsoft Defender portal
+
+When threats are detected, your security team can view detections and if necessary, take response actions on a device. For more information, see the following resources:
 
-The Microsoft Defender for Endpoint blog,
-[EDR capabilities for macOS have now arrived](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/edr-capabilities-for-macos-have-now-arrived/ba-p/1047801) provides detailed guidance on what to expect.
+- [Overview of endpoint detection and response](/defender-endpoint/overview-endpoint-detection-response)
+- [Tech Community blog: EDR capabilities for macOS have now arrived](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/edr-capabilities-for-macos-have-now-arrived/ba-p/1047801)
+- [Microsoft Defender portal overview](/defender-xdr/microsoft-365-defender-portal)
 
 
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
