Deploy and manage Device Control using Intune

Applies to:

• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender for Endpoint Plan 2
• Microsoft Defender XDR
• Microsoft Defender for Business

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Microsoft Defender for Endpoint Device Control feature enables you to audit, allow, or prevent the read, write, or execute access to removable storage, and allows you to manage iOS and Portable device and Bluetooth media with or without exclusions.

Licensing requirements

Before you get started with Removable Storage Access Control, you must confirm your Microsoft 365 subscription. To access and use Removable Storage Access Control, you must have Microsoft 365 E3.

Deploy policy by using Intune

Step 1: Build mobileconfig file

Now, you have groups, rules, and settings, replace the mobileconfig file with those values and put it under the Device Control node. Here's the demo file: mdatp-devicecontrol/demo.mobileconfig at main - microsoft/mdatp-devicecontrol (github.com). Make sure validate your policy with the JSON schema and make sure your policy format is correct: mdatp-devicecontrol/device_control_policy_schema.json at main - microsoft/mdatp-devicecontrol (github.com).

Note

See Device Control for macOS for information about settings, rules and groups.

Deploy the mobileconfig file using Intune

You can deploy the mobileconfig file through https://intune.microsoft.com/ > Devices > macOS:

• select 'Create profile'
• select 'Templates' and 'Custom'

See also

• Device Control for macOS
• Deploy and manage Device Control using jamf
• macOS Device Control frequently asked questions (FAQ)

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.