Skip to content

Commit 5d81188

Browse files
denisebmsftdenisebmsft
committed
Update tamperprotection-macos.md
1 parent bcc49e3 commit 5d81188

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

defender-endpoint/tamperprotection-macos.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -90,7 +90,7 @@ Make sure that the following requirements are met:
9090
- Ensure that Defender for Endpoint has **Full Disk Access** authorization.
9191

9292
> [!NOTE]
93-
> Both having SIP enabled and all configuration done via MDM is not mandatory, but required for a fully secured device, as otherwise a local admin still can make tampering changes that macOS manages. For example, enabling **TCC** (Transparency, Consent & Control) through a Mobile Device Management solution such as [Intune](mac-install-with-intune.md), will eliminate the risk of a Global Administrator revoking **Full Disk Access** Authorization by a local admin.
93+
> Both having SIP enabled and all configuration done via MDM is not mandatory, but is required for a fully secured device. Otherwise, a local administrator can make tampering changes that macOS manages. For example, enabling **TCC** (Transparency, Consent & Control) through a Mobile Device Management solution such as [Intune](mac-install-with-intune.md), will eliminates the risk of a Security Administrator revoking **Full Disk Access** Authorization by a local admin.
9494
9595
## Configure tamper protection on macOS devices
9696

@@ -137,7 +137,7 @@ sudo mdatp config tamper-protection enforcement-level --value block
137137
![Image of manual configuration command](media/manual-config-cmd.png)
138138

139139
> [!NOTE]
140-
> You must use managed configuration profile (deployed via MDM) on production devices. If a local admin changed tamper protection mode via a manual configuration, they can change it to a less restrictive mode at any time as well. If tamper protection mode was set via a managed profile, only a Global Administrator will be able to undo it.
140+
> You must use managed configuration profile (deployed via MDM) on production devices. If a local admin changed tamper protection mode via a manual configuration, they can change it to a less restrictive mode at any time as well. If tamper protection mode was set via a managed profile, only a Security Administrator will be able to undo it.
141141
142142
2. Verify the result.
143143

0 commit comments

Comments
 (0)