Deploy and manage Device Control using JAMF

Applies to:

• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender for Endpoint Plan 2
• Microsoft Defender XDR
• Microsoft Defender for Business

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Device control in Microsoft Defender for Endpoint on macOS enables you to audit, allow, or prevent the read, write, or execute access to removable storage. Device control also allows you to manage iOS and portable devices and Bluetooth media, with or without exclusions.

Licensing requirements

Before you begin, confirm your subscription. To access and use device control, your subscription must include Defender for Endpoint Plan 1. For more information, see the following resources:

• Microsoft 365 Enterprise plans comparison table
• Understand subscriptions and licenses in Microsoft 365 for business

Important

This article contains information about third-party tools. This is provided to help complete integration scenarios, however, Microsoft does not provide troubleshooting support for third-party tools.
Contact the third-party vendor for support.

Deploy policy by using JAMF

Step 1: Creating a JSON policy

Device Control on Mac is defined through a JSON policy. This policy should have the appropriate groups, rules, and settings defined to tailor specific customer conditions. For example, some enterprise organizations might need to block all removable media devices entirely, while others might have specific exceptions for a vendor or serial number. Microsoft has a local GitHub repository that you can use to build your policies.

For more information about settings, rules, and groups, see Device Control for macOS.

Step 2: Validating a JSON policy

You must validate your JSON policy after it's created to ensure there are no syntax or configuration errors. A schema for device control policies is available in our GitHub repository. The Defender for Endpoint application has built-in functionality to compare your JSON to the defined schema. 

1. Save your configuration on a local device as a .json file.

2. Ensure you have access to mdatp commands. If your device is already onboarded, then you should have this functionality.

3. Run mdatp device-control policy validate --path <pathtojson>.

Step 3: Update your Defender for Endpoint preferences Schema

The Defender for Endpoint preferences schema includes the new deviceControl/policy key. The existing Defender for Endpoint preferences configuration profile should be updated to use the new schema file's content.

Step 4: Add the device control policy to Defender for Endpoint preferences

A new device control property is now available to add to the user experience.

1. In your Jamf console, select Add/Remove properties, select Device Control, and then select Apply.

   

2. Scroll down until you see the Device Control property (it's at the bottom of the list), and then select Add/Remove properties.

3. Select Device Control Policy, and then select Apply.

   

4. Copy and paste your device control policy JSON into the text box.

   

5. Save your changes.

See also

• Device Control for macOS
• Deploy and manage Device Control using Intune
• macOS Device Control frequently asked questions (FAQ)

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.