Deploy and manage Device Control using Intune

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Microsoft Defender for Endpoint Device Control feature enables you to audit, allow, or prevent the read, write, or execute access to removable storage, and allows you to manage iOS and Portable device and Bluetooth media with or without exclusions.

Licensing requirements

Before you get started with Removable Storage Access Control, you must confirm your Microsoft 365 subscription. To access and use Removable Storage Access Control, you must have Microsoft 365 E3.

Deploy policy by using Intune

Step 1: Build mobileconfig file

Now, you have 'groups' and 'rules' and 'settings', replace the mobileconfig file with those values and put it under the Device Control node, here is the demo file: mdatp-devicecontrol/demo.mobileconfig at main - microsoft/mdatp-devicecontrol ( Make sure validate your policy with the JSON schema to make sure your policy format is correct: mdatp-devicecontrol/device_control_policy_schema.json at main - microsoft/mdatp-devicecontrol (


See Device Control for macOS for information about settings, rules and groups.

Deploy the mobileconfig file using Intune

You can deploy the mobileconfig file through > Devices > macOS:

  • select 'Create profile'
  • select 'Templates' and 'Custom'

Shows the Microsoft Endpoint Manager macOS Device Control / Configuration settings page.

See also


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.