Description: This is a policy.
Device Type: None
A device control policy is a combination of policy rules, groups and settings.
This sample is based on the sample files.
To configure the sample, follow the deployment instructions.
| Name | Devices | Rule Type | Access | Notification | Conditions | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Included | Excluded | Disk Read | Disk Write | Disk Execute | File Read | File Write | File Execute | ||||
| Setting Name | Setting Value | Description | Documentation |
|---|---|---|---|
| DefaultEnforcement | Deny | Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched. | documentation |
| DeviceControlEnabled | True | Enables/disables device control | documentation |
This policy is based on information in the following files:
Device control policy rules and groups can be deployed through the following management tools:
Create a Device Control Rules configuration profile
- Navigate to Home > Endpoint Security > Attack Surface Reduction
- Click on "Create Policy"
- Under Platform, select "Windows 10 and later"
- Under Profile, select "Device Control Rules"
- Click "Create"
- Under Name, enter **
- Optionally, enter a description
- Click "Next"
Define device control policy groups
- Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy groups.
- Save the XML below to a network share.
<Groups>
</Groups>- In the Define device control policy groups window, select Enabled and specify the network share file path containing the XML groups data.
Define device control policy rules
- Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy rules.
- Save the XML below to a network share.
<PolicyRules>
</PolicyRules>- In the Define device control policy rules window, select Enabled, and enter the network share file path containing the XML rules data.
Create custom intune configuration
- Navigate to Devices > Configuration profiles
- Click Create (New Policy)
- Select Platform "Windows 10 and Later"
- Select Profile "Templates"
- Select Template Name "Custom"
- Click "Create"
- Under Name, enter **
- Optionally, enter a description
- Click "Next"
Add a row for DefaultEnforcement
-
Click "Add"
-
For Name, enter DefaultEnforcement
-
For Description, enter **
-
For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DefaultEnforcement
-
For Data type, select Integer
-
For Value, enter 2
-
Click "Save"
Add a row for DeviceControlEnabled
-
Click "Add"
-
For Name, enter DeviceControlEnabled
-
For Description, enter **
-
For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled
-
For Data type, select Integer
-
For Value, enter 1
-
Click "Save"
- Create the .mobileconfig file
Copy the contents below into a file, and save it.
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>dlp</key>
<dict>
<key>features</key>
<array>
<dict>
<key>name</key>
<string>DC_in_dlp</string>
<key>state</key>
<string>enabled</string>
</dict>
</array>
</dict>
<key>deviceControl</key>
<dict>
<key>policy</key>
<string>
{
"groups": [],
"rules": [],
"settings": {
"global": {
"defaultEnforcement": "deny"
}
}
}
</string>
</dict>
</dict>
</array>
</dict>
</plist>-
Deploy the .mobileconfig file using Intune
- Navigate to https://endpoint.microsoft.com/ > Devices > macOS > ** Configuration profiles
- Click on create + New Policy
- Select Profile type Templates
- Select Custom profile
- Enter the name of the policy, optionally a description, and then click Next
- Select the device deployment channel
- Choose the .mobileconfig that you created
- Click "Next"
- Scope, assign and deploy the policy.
- Create the .json file
Save the .json to a file
{
"groups": [],
"rules": [],
"settings": {
"global": {
"defaultEnforcement": "deny"
}
}
}- Use
mdatp config device-control policy set --path <full-path-to-policy.json>to apply the policy.
Instructions on how to deploy the policy with JAMF can be found here
Learn more