Description: Audit all access to Apple and Portable devices
Device Type: Apple Generic Device
A device control policy is a combination of policy rules, groups and settings.
This sample is based on the sample files.
To configure the sample, follow the deployment instructions.
| Name | Devices | Rule Type | Access | Notification | |||
|---|---|---|---|---|---|---|---|
| Included | Excluded | Read | Write | Execute | |||
| Audit All Mobile Devices |
|
.
|
Audit Allowed | 📄 | 📄 | 📄 | Send event |
This is a group of type device. The match type for the group is or.
| Operator | Property | Value |
|---|---|---|
| primaryId | portable_devices | |
| or | primaryId | apple_devices |
View JSON
{
"$type": "device",
"id": "3778B4FD-A98B-4374-9EFE-859B98446E7D",
"name": "All Mobile Devices",
"query": {
"$type": "or",
"clauses": [
{
"$type": "primaryId",
"value": "portable_devices"
},
{
"$type": "primaryId",
"value": "apple_devices"
}
]
}
}| Setting Name | Setting Value | Description | Documentation |
|---|---|---|---|
| SecuredDevicesConfiguration | {'appleDevice': {'disable': False}, 'removableMedia': {'disable': False}, 'portableDevice': {'disable': False}, 'bluetoothDevice': {'disable': True}} | Defines which device's primary ids should be secured by Defender Device Control. If this configuration isn't set the default value will be applied, meaning all supported devices will be secured. | documentation |
| DefaultEnforcement | Allow | Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched. | documentation |
| UXNavigationTarget | http://www.microsoft.com | Notification hyperlink | documentation |
This policy is based on information in the following files:
Device control policy rules and groups can be deployed through the following management tools:
- Create the .mobileconfig file
Copy the contents below into a file, and save it.
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>dlp</key>
<dict>
<key>features</key>
<array>
<dict>
<key>name</key>
<string>DC_in_dlp</string>
<key>state</key>
<string>enabled</string>
</dict>
</array>
</dict>
<key>deviceControl</key>
<dict>
<key>policy</key>
<string>
{
"groups": [
{
"$type": "device",
"id": "3778B4FD-A98B-4374-9EFE-859B98446E7D",
"name": "All Mobile Devices",
"query": {
"$type": "or",
"clauses": [
{
"$type": "primaryId",
"value": "portable_devices"
},
{
"$type": "primaryId",
"value": "apple_devices"
}
]
}
}
],
"rules": [
{
"id": "2275E5E3-44D4-429E-A8BF-F73B390CBF46",
"name": "Audit All Mobile Devices",
"includeGroups": [
"3778B4FD-A98B-4374-9EFE-859B98446E7D"
],
"entries": [
{
"$type": "generic",
"id": "0B77527F-ED25-4136-93CC-F604E847DAC4",
"enforcement": {
"$type": "auditAllow",
"options": [
"send_event"
]
},
"access": [
"generic_read",
"generic_write",
"generic_execute"
]
}
]
}
],
"settings": {
"features": {
"appleDevice": {
"disable": false
},
"removableMedia": {
"disable": false
},
"portableDevice": {
"disable": false
},
"bluetoothDevice": {
"disable": true
}
},
"global": {
"defaultEnforcement": "allow"
},
"ux": {
"navigationTarget": "http://www.microsoft.com"
}
}
}
</string>
</dict>
</dict>
</array>
</dict>
</plist>-
Deploy the .mobileconfig file using Intune
- Navigate to https://endpoint.microsoft.com/ > Devices > macOS > ** Configuration profiles
- Click on create + New Policy
- Select Profile type Templates
- Select Custom profile
- Enter the name of the policy, optionally a description, and then click Next
- Select the device deployment channel
- Choose the .mobileconfig that you created
- Click "Next"
- Scope, assign and deploy the policy.
- Create the .json file
Save the .json to a file
{
"groups": [
{
"$type": "device",
"id": "3778B4FD-A98B-4374-9EFE-859B98446E7D",
"name": "All Mobile Devices",
"query": {
"$type": "or",
"clauses": [
{
"$type": "primaryId",
"value": "portable_devices"
},
{
"$type": "primaryId",
"value": "apple_devices"
}
]
}
}
],
"rules": [
{
"id": "2275E5E3-44D4-429E-A8BF-F73B390CBF46",
"name": "Audit All Mobile Devices",
"includeGroups": [
"3778B4FD-A98B-4374-9EFE-859B98446E7D"
],
"entries": [
{
"$type": "generic",
"id": "0B77527F-ED25-4136-93CC-F604E847DAC4",
"enforcement": {
"$type": "auditAllow",
"options": [
"send_event"
]
},
"access": [
"generic_read",
"generic_write",
"generic_execute"
]
}
]
}
],
"settings": {
"features": {
"appleDevice": {
"disable": false
},
"removableMedia": {
"disable": false
},
"portableDevice": {
"disable": false
},
"bluetoothDevice": {
"disable": true
}
},
"global": {
"defaultEnforcement": "allow"
},
"ux": {
"navigationTarget": "http://www.microsoft.com"
}
}
}- Use
mdatp config device-control policy set --path <full-path-to-policy.json>to apply the policy.
Instructions on how to deploy the policy with JAMF can be found here
Learn more