Deploy and manage Device Control manually
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
- Microsoft Defender for Business
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
Microsoft Defender for Endpoint Device Control feature enables you to audit, allow, or prevent the read, write, or execute access to removable storage, and allows you to manage iOS and Portable device and Bluetooth media with or without exclusions.
Licensing requirements
Before you get started with Removable Storage Access Control, you must confirm your Microsoft 365 subscription. To access and use Removable Storage Access Control, you must have Microsoft 365 E3.
Important
This article contains information about third-party tools. This is provided to help complete integration scenarios, however, Microsoft does not provide troubleshooting support for third-party tools.
Contact the third-party vendor for support.
Deploy policy manually
This method is recommended for preproduction environments only. It's available starting with version 101.23082.0018. You can create a policy JSON and try it on a single machine before deploying it via MDM to all users. Microsoft recommends using MDM for production environment.
You can set a policy manually, only if it wasn't set via MDM (as a managed configuration).
Step 1: Create policy JSON
Now, you have groups
, rules
, settings
, combine them into one JSON. Here's the demo file: mdatp-devicecontrol/deny_removable_media_except_kingston.json at main - microsoft/mdatp-devicecontrol (github.com). Make sure to validate your policy with the JSON schema so your policy format is correct: mdatp-devicecontrol/device_control_policy_schema.json at main - microsoft/mdatp-devicecontrol (github.com).
See Device Control for macOS for information about settings, rules, and groups.
Step 2: Apply policy
Use mdatp config device-control policy set --path <full-path-to-policy.json>
to apply the policy.
You can now try protected operations, or use usual mdatp device-control
commands to inspect the effective policy.
> mdatp device-control policy preferences list
.Preferences
|-o UX
| |-o Navigation Target: "https://www.microsoft.com"
|-o Features
| |-o Removable Media
| |-o Disable: false
|-o Global
|-o Default Enforcement: "allow"
You can edit your policy file, reapply it, and see changes immediately.
Step 3: Undo your changes
To clear the policy, use mdatp config device-control policy reset
.
See also
- Device Control for macOS
- Deploy and manage Device Control using Intune
- Deploy and manage Device Control using JAMF
- macOS Device Control frequently asked questions (FAQ)
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.