Description: Allow and audit read-only access for any removable media
Device Type: Apple Removable Media
A device control policy is a combination of policy rules, groups and settings.
This sample is based on the sample files.
To configure the sample, follow the deployment instructions.
| Name | Devices | Rule Type | Access | Notification | |||
|---|---|---|---|---|---|---|---|
| Included | Excluded | Read | Write | Execute | |||
| Allow and audit read only access to removable media devices |
|
.
|
Allow | ✅ | - | - | None |
| Audit Allowed | 📄 | - | - | Send event | |||
| Deny | - | ❌ | ❌ | None | |||
| Audit Denied | - | 📄 | 📄 | Send event | |||
This is a group of type device. The match type for the group is all.
| Operator | Property | Value |
|---|---|---|
| primaryId | removable_media_devices |
View JSON
{
"$type": "device",
"id": "531278a2-a318-48d7-8e6a-0f0fd7589b07",
"name": "All Removable Media Devices",
"query": {
"$type": "all",
"clauses": [
{
"$type": "primaryId",
"value": "removable_media_devices"
}
]
}
}| Setting Name | Setting Value | Description | Documentation |
|---|---|---|---|
| SecuredDevicesConfiguration | {'appleDevice': {'disable': True}, 'removableMedia': {'disable': False}, 'portableDevice': {'disable': True}, 'bluetoothDevice': {'disable': True}} | Defines which device's primary ids should be secured by Defender Device Control. If this configuration isn't set the default value will be applied, meaning all supported devices will be secured. | documentation |
| DefaultEnforcement | Deny | Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched. | documentation |
| UXNavigationTarget | http://www.microsoft.com | Notification hyperlink | documentation |
This policy is based on information in the following files:
Device control policy rules and groups can be deployed through the following management tools:
- Create the .mobileconfig file
Copy the contents below into a file, and save it.
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>dlp</key>
<dict>
<key>features</key>
<array>
<dict>
<key>name</key>
<string>DC_in_dlp</string>
<key>state</key>
<string>enabled</string>
</dict>
</array>
</dict>
<key>deviceControl</key>
<dict>
<key>policy</key>
<string>
{
"groups": [
{
"$type": "device",
"id": "531278a2-a318-48d7-8e6a-0f0fd7589b07",
"name": "All Removable Media Devices",
"query": {
"$type": "all",
"clauses": [
{
"$type": "primaryId",
"value": "removable_media_devices"
}
]
}
}
],
"rules": [
{
"id": "5553fc5d-acec-467c-a23e-13023290e367",
"name": "Allow and audit read only access to removable media devices",
"includeGroups": [
"531278a2-a318-48d7-8e6a-0f0fd7589b07"
],
"entries": [
{
"$type": "removableMedia",
"id": "54210657-995e-42be-a8a4-419c7afc7172",
"enforcement": {
"$type": "allow"
},
"access": [
"read"
]
},
{
"$type": "removableMedia",
"id": "94d0e385-14f1-4856-bdfd-929c4362f879",
"enforcement": {
"$type": "auditAllow",
"options": [
"send_event"
]
},
"access": [
"read"
]
},
{
"$type": "removableMedia",
"id": "3685c0ff-6056-4216-a077-0dff53907a3f",
"enforcement": {
"$type": "deny"
},
"access": [
"write",
"execute"
]
},
{
"$type": "removableMedia",
"id": "e7232712-af9a-4b07-ab64-b9e0dc7f7b7b",
"enforcement": {
"$type": "auditDeny",
"options": [
"send_event",
"send_notification"
]
},
"access": [
"write",
"execute"
]
}
]
}
],
"settings": {
"features": {
"appleDevice": {
"disable": true
},
"removableMedia": {
"disable": false
},
"portableDevice": {
"disable": true
},
"bluetoothDevice": {
"disable": true
}
},
"global": {
"defaultEnforcement": "deny"
},
"ux": {
"navigationTarget": "http://www.microsoft.com"
}
}
}
</string>
</dict>
</dict>
</array>
</dict>
</plist>-
Deploy the .mobileconfig file using Intune
- Navigate to https://endpoint.microsoft.com/ > Devices > macOS > ** Configuration profiles
- Click on create + New Policy
- Select Profile type Templates
- Select Custom profile
- Enter the name of the policy, optionally a description, and then click Next
- Select the device deployment channel
- Choose the .mobileconfig that you created
- Click "Next"
- Scope, assign and deploy the policy.
- Create the .json file
Save the .json to a file
{
"groups": [
{
"$type": "device",
"id": "531278a2-a318-48d7-8e6a-0f0fd7589b07",
"name": "All Removable Media Devices",
"query": {
"$type": "all",
"clauses": [
{
"$type": "primaryId",
"value": "removable_media_devices"
}
]
}
}
],
"rules": [
{
"id": "5553fc5d-acec-467c-a23e-13023290e367",
"name": "Allow and audit read only access to removable media devices",
"includeGroups": [
"531278a2-a318-48d7-8e6a-0f0fd7589b07"
],
"entries": [
{
"$type": "removableMedia",
"id": "54210657-995e-42be-a8a4-419c7afc7172",
"enforcement": {
"$type": "allow"
},
"access": [
"read"
]
},
{
"$type": "removableMedia",
"id": "94d0e385-14f1-4856-bdfd-929c4362f879",
"enforcement": {
"$type": "auditAllow",
"options": [
"send_event"
]
},
"access": [
"read"
]
},
{
"$type": "removableMedia",
"id": "3685c0ff-6056-4216-a077-0dff53907a3f",
"enforcement": {
"$type": "deny"
},
"access": [
"write",
"execute"
]
},
{
"$type": "removableMedia",
"id": "e7232712-af9a-4b07-ab64-b9e0dc7f7b7b",
"enforcement": {
"$type": "auditDeny",
"options": [
"send_event",
"send_notification"
]
},
"access": [
"write",
"execute"
]
}
]
}
],
"settings": {
"features": {
"appleDevice": {
"disable": true
},
"removableMedia": {
"disable": false
},
"portableDevice": {
"disable": true
},
"bluetoothDevice": {
"disable": true
}
},
"global": {
"defaultEnforcement": "deny"
},
"ux": {
"navigationTarget": "http://www.microsoft.com"
}
}
}- Use
mdatp config device-control policy set --path <full-path-to-policy.json>to apply the policy.
Instructions on how to deploy the policy with JAMF can be found here
Learn more