If you manage Microsoft Defender for Endpoint (MDE) on macOS devices, you know how critical it is to verify that security features are actually working as intended. Today, I'm sharing a new toolkit I've developed to help IT admins and security professionals validate MDE configurations on macOS.
What is macOS Defender Check?
macOS Defender Check is a comprehensive bash/shell script testing suite for Microsoft Defender for Endpoint on macOS.
Why I Built This
While managing MDE deployments across macOS fleets, I found myself repeatedly running manual tests to verify:
- Is Tamper Protection actually preventing unauthorized changes?
- Are web protection features blocking malicious URLs?
- Is SmartScreen working correctly across different browsers?
- Are my custom URL Indicators being enforced?
Instead of running these checks manually, I wanted an automated, comprehensive testing toolkit that works natively on macOS without requiring PowerShell or additional dependencies.
What It Tests
The toolkit includes two main scripts:
1. Tamper Protection Testing (defendercheck-tp.sh)
- MDE installation and health verification
- Real-Time Protection status
- Tamper Protection configuration
- Actual tampering prevention tests
- System Extension approval status
- MDM profile deployment
2. Web Protection Testing (defendercheck-wp.sh)
- Microsoft Defender SmartScreen
- Network Protection
- Custom URL Indicators (CSV import)
- Web Content Filtering (WCF)
- Multi-browser testing (Chrome, Edge, Safari)
Quick Start
Download the files from my GitHub.
# Download and make executable
chmod +x defendercheck-tp.sh defendercheck-wp.sh
# Test Tamper Protection
sudo ./defendercheck-tp.sh
# Test Web Protection (all browsers)
sudo ./defendercheck-wp.sh
# Test specific browser only
sudo ./defendercheck-wp.sh -b edge
# Test with custom URL Indicators
sudo ./defendercheck-wp.sh -f your_urls.csv
# Test Web Content Filtering
sudo ./defendercheck-wp.sh -c AdultContentReal-World Use Cases
Pre-Deployment Validation
Before rolling out MDE to your entire fleet, use these scripts to validate that all security features work correctly on your test devices.
Post-Deployment Verification
After deploying MDE, run the tests to confirm that Tamper Protection, Network Protection, and other features are properly enabled.
Compliance Auditing
Generate test reports to demonstrate that security controls are functioning as required by your security policies or compliance frameworks.
Troubleshooting
When users report that legitimate sites are being blocked (or malicious sites aren't being blocked), use the URL Indicators test to validate your allow/block lists.
Example: Testing URL Indicators
One of the most useful features is testing custom URL Indicators. Create a CSV file with your blocked/allowed URLs:
IndicatorValue
https://demo.smartscreen.msft.net/phishingdemo.html
https://github.com
https://malicious-site.example.com
https://microsoft.comThen run:
sudo ./defendercheck-wp.sh -f urls.csvThe script will test each URL and generate a detailed CSV report showing which URLs were blocked/allowed, with timestamps and connection details.
Browser Support & Private Mode
A unique feature is automatic private/incognito mode for testing:
- Chrome: Automatic incognito mode (
--incognito) - Edge: Automatic InPrivate mode (
--inprivate) - Safari: Opens in regular mode (private mode must be enabled manually)
This ensures test URLs don't pollute browser history and provides a clean testing environment.
What Makes It Different?
Compared to manual testing:
- Automated and repeatable
- Tests multiple browsers simultaneously
- Generates detailed logs and CSV reports
- Saves hours of manual validation work
Conclusion
Whether you're deploying MDE to a handful of Macs or managing thousands of macOS devices, having a reliable testing toolkit is essential. macOS Defender Check gives you the confidence that your security configurations are working as intended.
Give it a try and let me know what you think!