Deploy and manage Device Control using JAMF

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Microsoft Defender for Endpoint Device Control feature enables you to audit, allow, or prevent the read, write, or execute access to removable storage, and allows you to manage iOS and Portable device and Bluetooth media with or without exclusions.

Licensing requirements

Before you get started with Removable Storage Access Control, you must confirm your Microsoft 365 subscription. To access and use Removable Storage Access Control, you must have Microsoft 365 E3.

Important

This article contains information about third-party tools. This is provided to help complete integration scenarios, however, Microsoft does not provide troubleshooting support for third-party tools.
Contact the third-party vendor for support.

Deploy policy by using JAMF

Step 1: Create policy JSON

Now, you have 'groups' and 'rules' and 'settings', combine 'settings' and 'groups' and rules into one JSON, here is the demo file: https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.json. Make sure to validate your policy with the JSON schema so your policy format is correct: https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json.

See Device Control for macOS for information about settings, rules and groups.

Step 2: Update MDE Preferences Schema

The MDE Preferences schema has been updated to include the new deviceControl/policy key. The existing MDE Preferences configuration profile should be updated to use the new schema file's content.

Shows where to edit the Microsoft Defender for Endpoint Preferences Schema to update.

Step 3: Add Device Control Policy to MDE Preferences

A new 'Device Control' property will now be available to add to the UX.

  1. Select the topmost Add/Remove properties button, then select Device Control and press Apply.

Shows how to add Device Control in Microsoft Defender for Endpoint

  1. Next, scroll down until you see the Device Control property (it will be the bottommost entry), and select Add/Remove properties directly underneath it.

  2. Select Device Control Policy, and then click Apply.

Shows how to apply Device Control Policy in Microsoft Defender for Endpoint.

  1. To finish, copy and paste the Device Control policy JSON into the text box, and save your changes to the configuration profile.

Shows where to add the Device Control policy JSON in Microsoft Defender for Endpoint.

See also

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.