Merge pull request #1432 from MicrosoftDocs/fixes

denisebmsft · web-flow · commit ef1879e8f89d · 2024-09-20T19:41:03.000-07:00
MDE on Mac troubleshooting NetExt
diff --git a/defender-endpoint/TOC.yml b/defender-endpoint/TOC.yml
@@ -422,13 +422,15 @@
 
         - name: Troubleshoot Microsoft Defender for Endpoint on macOS
           items:
+          - name: Troubleshoot NetExt issues with Defender for Endpoint on Mac
+            href: mac-troubleshoot-netext-mde.md
           - name: Troubleshooting mode on macOS
             href: mac-troubleshoot-mode.md
           - name: Troubleshoot macOS installation issues
             href: mac-support-install.md
           - name: Troubleshoot macOS performance issues overview
             href: mac-support-perf-overview.md
-            displayName: Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS
+            displayName: Troubleshoot performance issues for Defender for Endpoint on macOS
           - name: Troubleshoot performance issues
             href: mac-support-perf.md
           - name: Troubleshoot cloud connectivity
diff --git a/defender-endpoint/mac-troubleshoot-netext-mde.md b/defender-endpoint/mac-troubleshoot-netext-mde.md
@@ -0,0 +1,215 @@
+---
+title: Troubleshoot Network Extension issues in Microsoft Defender for Endpoint on Mac
+description: Learn how to troubleshoot issues with the network extension (NetExt) that's installed as part of Microsoft Defender for Endpoint on macOS.
+ms.service: defender-endpoint
+author: denisebmsft
+ms.author: deniseb
+manager: deniseb
+ms.reviewer: yongrhee
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection:
+- m365-security
+- tier3
+- mde-macos
+ms.topic: conceptual
+ms.subservice: macos
+search.appverid: met150
+ms.date: 09/20/2024
+---
+
+# Troubleshoot Network Extension (NetExt) issues in Defender for Endpoint on Mac 
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+**Applies to:**
+
+- [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md)
+- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
+- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
+- [Microsoft Defender XDR](/defender-xdr)
+
+> [!NOTE]
+> You can submit feedback by opening Microsoft Defender for Endpoint on Mac on your device, and going to **Help** > **Send feedback**. Another option is to submit feedback via the Microsoft Defender portal. Go to [security.microsoft.com](https://security.microsoft.com), and selecting the **Give feedback** tab. 
+
+## Overview 
+
+This article provides information on how to troubleshoot issues with the network extension (NetExt) that's installed as part of Microsoft Defender for Endpoint on macOS. 
+
+NetExt is used by [Network Protection](network-protection-macos.md) is enabled on Mac devices.
+
+**Symptom**: 
+
+You might notice issues with network related latencies when using your browser or copying files over the network or using a chat/meeting application. 
+
+**Temporary solution**:
+
+This article describes how to temporarily disable NetExt which will temporarily disable network protection, and resolve network stack-related issues by using Intune, JamF, or a manual process on Mac.
+
+At a high level, these are the steps to follow for [Intune](#intune-method) and [JamF](#jamf-method):
+
+1. Create a new "Devices with NetExt disabled" group.
+2. Exclude that group from the existing NetExt configuration.
+3. Assign the existing configuration to the "Devices with NetExt disabled" device group.
+
+The following sections describe these steps in more detail.
+
+## Intune method
+
+The following sections describe how to set up a new "Devices with NetExt disabled" device group, exclude it from the NetExt configuration, and then assign the existing configuration to your new device group.
+
+### Create a device group called "Devices with NetExt disabled"
+
+1. In the [Intune admin center](https://intune.microsoft.com), select **Groups**, and then select **New group**.
+
+2. Set up the device group as follows:
+
+   - Group type: `Security` 
+   - Group name: `Devices with NetExt disabled`
+   - Group description: Add a description.
+   - Membership type: `Assigned` 
+
+   Then select **Refresh**. 
+
+3. Double-click on your new group `Devices with NetExt disabled`.
+
+4. Select **Members**, and then select **Add members**.
+
+5. On the **Devices** tab, select the devices for which you want to disable NetExt. Then click **Select**.
+
+6. Select **Refresh**. You should now be able to see your devices. 
+
+### Exclude the "Devices with NetExt disabled" device group from the existing NetExt configuration 
+
+1. In the [Intune admin center](https://intune.microsoft.com), select **Devices**.
+
+2. Under **By platform**, select **macOS**, and then select **Configuration**.
+
+3. Select your current policy for NetExt. For example, `NetFilter-prod-macOS-Default-MDE`.
+
+4. Next to **Assignments**, select **Edit**.
+
+5. Under **Excluded groups**, select **Add groups**, and then select the "Devices with NetExt disabled" device group. Then click **Select**.
+
+6. Select **Review + save**, and then select **Save**.
+
+### Assign the existing configuration to the "Devices with NetExt disabled" device group 
+
+1. In the [Intune admin center](https://intune.microsoft.com), select **Devices**.
+
+2. Under **By platform**, select **macOS**, and then select **Configuration**.
+
+3. Select a current policy, such as your policy for Accessibility. For example, `Accessibility-prod-macOS-Default-MDE`.
+
+4. Next to **Assignments**, select **Edit**.
+
+5. Under **Add groups**, select the device group that you created earlier (for example, `Devices with NetExt disabled`). Then click **Select**.
+
+6. Select **Review + save**, and then select **Save**.
+
+7. Repeat this procedure for each of your existing policies for Defender for Endpoint on Mac. Examples include:
+
+   - Auto-Update
+   - Background Services
+   - Behavior Monitoring
+   - Device Control
+   - Full Disk Access
+   - Network Protection
+   - Notifications
+   - Scheduled Scan
+   - Settings Preferences
+   - System Extensions 
+
+   > [!CAUTION]
+   > Do not repeat this procedure for NetExt. 
+
+   After you complete these steps, see if you're able to reproduce the issue. 
+
+## JamF method
+
+The following sections describe how to create a new "Devices with NetExt disabled" group, exclude the group from the existing NetExt configuration, and then assign the existing configuration to the new group.
+
+### Create a "Devices with NetExt disabled" group
+
+1. In your JamF portal, select **Computers**, and then select **Static device groups**.
+
+2. Select **New**.
+
+3. On the **Computer Group** tab (default), under **Display name**, add the group name `Devices with NetExt disabled`.
+
+4. Select the **Assignments** tab.
+
+5. Select the devices select the devices for which you want to disable NetExt. Then select **Save**.
+
+   Under **Computers - Static Computer Groups**, you should be able to see your new group. 
+
+### Exclude your "Devices with NetExt disabled" group from the existing NetExt configuration 
+
+1. In your JamF portal, select **Computers**, and then select **Configuration Profiles**.
+
+2. Select your current policy for NetExt. For example, `NetFilter-prod-macOS-Default-MDE`.
+
+3. On the **Scope** tab, select **Edit**.
+
+4. On the **Exclusions** tab, select **Add**, and then select **Computer Groups**.
+
+5. Find your "Devices with NetExt disabled" group, and then select **Add**.
+
+6. Select **Done**, and then select **Save**.
+
+### Assign the existing configuration to the "Devices with NetExt disabled" group 
+
+1. In your JamF portal, select **Computers**, and then select **Configuration Profiles**.
+
+2. Select a current policy, such as one for Accessibility. For example, `Accessibility-prod-macOS-Default-MDE`.
+
+3. On the **Scope** tab, select **Edit**.
+
+4. On the **Targets** tab, select **Add**, and then select **Computer Groups**.
+
+5. Find your "Devices with NetExt disabled" group, and then select **Add**.
+
+6. Select **Done**, and then select **Save**. 
+
+7. Repeat this procedure for each of your existing policies for Defender for Endpoint on Mac. Examples include:
+
+   - Auto-Update
+   - Background Services
+   - Behavior Monitoring
+   - Device Control
+   - Full Disk Access
+   - Network Protection
+   - Notifications
+   - Scheduled Scan
+   - Settings Preferences
+   - System Extensions 
+
+   > [!CAUTION]
+   > Do not repeat this procedure for NetExt. 
+
+   After you complete these steps, see if you're able to reproduce the issue. 
+
+## Manual method
+
+If you have Defender for Endpoint installed on your Mac, you can remove the NetExt extension temporarily by following these steps:
+
+1. On your Mac, open **System Settings**.
+
+2. Go to **General** > **Login items & Extensions**, and then scroll down until you see **Network Extensions**. There, you see the following extensions:
+
+   - Microsoft Defender 
+   - Microsoft Defender Network Extension 
+
+3. Set the toggle to turn off Microsoft Defender Network Extension. Type your password, and then select **OK**.
+
+4. You should see the following message:
+
+   `Note: Disabling the system extension will make sure that it will not be launched after reboot, but it does not guarantee that it will be terminated immediately.`
+ 
+5. Select **OK**, and then select **Done**. 
+
+   After you complete these steps, see if you're able to reproduce the issue. 
+
+## See also
+
+[What's new in Microsoft Defender for Endpoint on Mac](mac-whatsnew.md)
diff --git a/defender-endpoint/mac-whatsnew.md b/defender-endpoint/mac-whatsnew.md
@@ -37,11 +37,11 @@ For more information on Microsoft Defender for Endpoint on other operating syste
 
 **Known issues**
 
-> [!NOTE]
 - Apple fixed an issue on macOS [Ventura upgrade](https://developer.apple.com/documentation/macos-release-notes/macos-13_1-release-notes) and macOS [Sonoma upgrade](https://developer.apple.com/forums/thread/737824#773449022) with the latest OS update. The issue impacts Microsoft Defender for Endpoint security extensions, and might result in losing Full Disk Access Authorization, impacting its ability to function properly.
+
 - In macOS Sonoma 14.3.1, Apple made a change to the [handling of Bluetooth devices](https://developer.apple.com/forums/thread/738748) that impacts Defender for Endpoint device controls ability to intercept and block access to Bluetooth devices.  At this time, the recommended mitigation is to use a version of macOS earlier than 14.3.1.
 
-- In macOS Sequoia (version 15.0), if you have Network Protection enabled, you might see crashes of the network extension (NetExt). This will result in intermittent network connectivity issues for end users. We are recommending that customers who have Network Protection enabled in their organization refrain from upgrading to Sequoia builds at this time.
+- In macOS Sequoia (version 15.0), if you have Network Protection enabled, you might see crashes of the network extension (NetExt). This will result in intermittent network connectivity issues for end users. We are recommending that customers who have Network Protection enabled in their organization refrain from upgrading to Sequoia builds at this time. To work around the issue, see [Troubleshoot NetExt issues in Microsoft Defender for Endpoint on Mac](mac-troubleshoot-netext-mde.md).
 
 **Sequoia support**
 
