Deploy and manage Device Control using JAMF
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
- Microsoft Defender for Business
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
Microsoft Defender for Endpoint Device Control feature enables you to audit, allow, or prevent the read, write, or execute access to removable storage, and allows you to manage iOS and Portable device and Bluetooth media with or without exclusions.
Licensing requirements
Before you get started with Removable Storage Access Control, you must confirm your Microsoft 365 subscription. To access and use Removable Storage Access Control, you must have Microsoft 365 E3.
Important
This article contains information about third-party tools. This is provided to help complete integration scenarios, however, Microsoft does not provide troubleshooting support for third-party tools.
Contact the third-party vendor for support.
Deploy policy by using JAMF
Step 1: Create policy JSON
Now, you have 'groups' and 'rules' and 'settings', combine 'settings' and 'groups' and rules into one JSON, here is the demo file: https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.json. Make sure to validate your policy with the JSON schema so your policy format is correct: https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json.
See Device Control for macOS for information about settings, rules and groups.
Step 2: Update MDE Preferences Schema
The MDE Preferences schema has been updated to include the new deviceControl/policy
key. The existing MDE Preferences configuration profile should be updated to use the new schema file's content.
Step 3: Add Device Control Policy to MDE Preferences
A new 'Device Control' property will now be available to add to the UX.
- Select the topmost Add/Remove properties button, then select Device Control and press Apply.
Next, scroll down until you see the Device Control property (it will be the bottommost entry), and select Add/Remove properties directly underneath it.
Select Device Control Policy, and then click Apply.
- To finish, copy and paste the Device Control policy JSON into the text box, and save your changes to the configuration profile.
See also
- Device Control for macOS
- Deploy and manage Device Control using Intune
- macOS Device Control frequently asked questions (FAQ)
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.