diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 958d86d6b1..5f17983864 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -253,6 +253,11 @@ ##### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md) ##### [Set preferences](microsoft-defender-atp/mac-preferences.md) ##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md) +##### [Device control]() +###### [Overview](microsoft-defender-atp/mac-device-control-overview.md) +###### [JAMF examples](mac-device-control-jamf.md) +###### [Intune examples](mac-device-control-intune.md) + ##### [Schedule scans](microsoft-defender-atp/mac-schedule-scan-atp.md) #### [Troubleshoot]() diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-1.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-1.png new file mode 100644 index 0000000000..fb946071db Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-1.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-2.png new file mode 100644 index 0000000000..b5f0ce792e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-3.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-3.png new file mode 100644 index 0000000000..51110a707c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-3.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-4.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-4.png new file mode 100644 index 0000000000..ff9dafe040 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-4.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-notification.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-notification.png new file mode 100644 index 0000000000..af8250de77 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-notification.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-intune.md new file mode 100644 index 0000000000..92050bc570 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-intune.md @@ -0,0 +1,429 @@ +--- +title: Examples of device control policies for Intune +description: This document contains examples of device control policies that can be used with Intune. +keywords: microsoft, defender, atp, mac, device, control, usb, removable, media, intune +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.mktglfcycl: security +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: + - m365-security-compliance + - m365initiative-defender-endpoint +ms.topic: conceptual +ms.technology: mde +--- + +# Examples of device control policies for Intune + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +> [!IMPORTANT] +> **Device control for macOS is currently in public preview**
+> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. +> For more information, see [Microsoft Defender for Endpoint preview features](preview.md). + +This document contains examples of device control policies that you can customize in your own organization. These examples are applicable if you are using Intune to manage your enterprise. + +## Restrict access to all removable media + +The following example restricts access to all removable media. Note the `none` permission that is applied at the top level of the policy, meaning that all file operations will be disallowed. + +```xml + + + + + PayloadUUID + C4E6A782-0C8D-44AB-A025-EB893987A295 + PayloadType + Configuration + PayloadOrganization + Microsoft + PayloadIdentifier + com.microsoft.wdav + PayloadDisplayName + Microsoft Defender ATP settings + PayloadDescription + Microsoft Defender ATP configuration settings + PayloadVersion + 1 + PayloadEnabled + + PayloadRemovalDisallowed + + PayloadScope + System + PayloadContent + + + PayloadUUID + 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295 + PayloadType + com.microsoft.wdav + PayloadOrganization + Microsoft + PayloadIdentifier + com.microsoft.wdav + PayloadDisplayName + Microsoft Defender ATP configuration settings + PayloadDescription + + PayloadVersion + 1 + PayloadEnabled + + deviceControl + + removableMediaPolicy + + enforcementLevel + block + permission + + none + + + + + + + +``` + +## Set all removable media to be read-only + +The following example configures all removable media to be read-only. Note the `read` permission that is applied at the top level of the policy, meaning that all write and execute operations will be disallowed. + +```xml + + + + + PayloadUUID + C4E6A782-0C8D-44AB-A025-EB893987A295 + PayloadType + Configuration + PayloadOrganization + Microsoft + PayloadIdentifier + com.microsoft.wdav + PayloadDisplayName + Microsoft Defender ATP settings + PayloadDescription + Microsoft Defender ATP configuration settings + PayloadVersion + 1 + PayloadEnabled + + PayloadRemovalDisallowed + + PayloadScope + System + PayloadContent + + + PayloadUUID + 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295 + PayloadType + com.microsoft.wdav + PayloadOrganization + Microsoft + PayloadIdentifier + com.microsoft.wdav + PayloadDisplayName + Microsoft Defender ATP configuration settings + PayloadDescription + + PayloadVersion + 1 + PayloadEnabled + + deviceControl + + removableMediaPolicy + + enforcementLevel + block + permission + + read + + + + + + + +``` + +## Disallow program execution from removable media + +The following example shows how program execution from removable media can be disallowed. Note the `read` and `write` permissions that are applied at the top level of the policy. + +```xml + + + + + PayloadUUID + C4E6A782-0C8D-44AB-A025-EB893987A295 + PayloadType + Configuration + PayloadOrganization + Microsoft + PayloadIdentifier + com.microsoft.wdav + PayloadDisplayName + Microsoft Defender ATP settings + PayloadDescription + Microsoft Defender ATP configuration settings + PayloadVersion + 1 + PayloadEnabled + + PayloadRemovalDisallowed + + PayloadScope + System + PayloadContent + + + PayloadUUID + 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295 + PayloadType + com.microsoft.wdav + PayloadOrganization + Microsoft + PayloadIdentifier + com.microsoft.wdav + PayloadDisplayName + Microsoft Defender ATP configuration settings + PayloadDescription + + PayloadVersion + 1 + PayloadEnabled + + deviceControl + + removableMediaPolicy + + enforcementLevel + block + permission + + read + write + + + + + + + +``` + +## Restrict all devices from specific vendors + +The following example restricts all devices from specific vendors (in this case identified by `090c` and `8068`). Note that all other devices will be unrestricted, since the permission defined at the top level of the policy lists all possible permissions (read, write, and execute). + +```xml + + + + + PayloadUUID + C4E6A782-0C8D-44AB-A025-EB893987A295 + PayloadType + Configuration + PayloadOrganization + Microsoft + PayloadIdentifier + com.microsoft.wdav + PayloadDisplayName + Microsoft Defender ATP settings + PayloadDescription + Microsoft Defender ATP configuration settings + PayloadVersion + 1 + PayloadEnabled + + PayloadRemovalDisallowed + + PayloadScope + System + PayloadContent + + + PayloadUUID + 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295 + PayloadType + com.microsoft.wdav + PayloadOrganization + Microsoft + PayloadIdentifier + com.microsoft.wdav + PayloadDisplayName + Microsoft Defender ATP configuration settings + PayloadDescription + + PayloadVersion + 1 + PayloadEnabled + + deviceControl + + removableMediaPolicy + + enforcementLevel + block + permission + + read + write + execute + + vendors + + 090c + + permission + + none + + + 8068 + + permission + + none + + + + + + + + + +``` + +## Restrict specific devices identified by vendor ID, product ID, and serial number + +The following example restricts two specific devices, identified by vendor ID `090c`, product ID `1000`, and serial numbers `04ZSSMHI2O7WBVOA` and `04ZSSMHI2O7WBVOB`. Note that at all other levels of the policy the permissions include all possible values (read, write, and execute), meaning that all other devices will be unrestricted. + +```xml + + + + + PayloadUUID + C4E6A782-0C8D-44AB-A025-EB893987A295 + PayloadType + Configuration + PayloadOrganization + Microsoft + PayloadIdentifier + com.microsoft.wdav + PayloadDisplayName + Microsoft Defender ATP settings + PayloadDescription + Microsoft Defender ATP configuration settings + PayloadVersion + 1 + PayloadEnabled + + PayloadRemovalDisallowed + + PayloadScope + System + PayloadContent + + + PayloadUUID + 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295 + PayloadType + com.microsoft.wdav + PayloadOrganization + Microsoft + PayloadIdentifier + com.microsoft.wdav + PayloadDisplayName + Microsoft Defender ATP configuration settings + PayloadDescription + + PayloadVersion + 1 + PayloadEnabled + + deviceControl + + removableMediaPolicy + + enforcementLevel + block + permission + + read + write + execute + + vendors + + 090c + + permission + + read + write + execute + + products + + 1000 + + permission + + read + write + execute + + serialNumbers + + 04ZSSMHI2O7WBVOA + + none + + 04ZSSMHI2O7WBVOB + + none + + + + + + + + + + + + +``` + +## Related topics + +- [Overview of device control for macOS](mac-device-control-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-jamf.md new file mode 100644 index 0000000000..d0c447dc99 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-jamf.md @@ -0,0 +1,224 @@ +--- +title: Examples of device control policies for JAMF +description: This document contains examples of device control policies that can be used with JAMF. +keywords: microsoft, defender, atp, mac, device, control, usb, removable, media, jamf +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.mktglfcycl: security +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: + - m365-security-compliance + - m365initiative-defender-endpoint +ms.topic: conceptual +ms.technology: mde +--- + +# Examples of device control policies for JAMF + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +> [!IMPORTANT] +> **Device control for macOS is currently in public preview**
+> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. +> For more information, see [Microsoft Defender for Endpoint preview features](preview.md). + +This document contains examples of device control policies that you can customize in your own organization. These examples are applicable if you are using JAMF to manage your enterprise. + +## Restrict access to all removable media + +The following example restricts access to all removable media. Note the `none` permission that is applied at the top level of the policy, meaning that all file operations will be disallowed. + +```xml + + + + + deviceControl + + removableMediaPolicy + + enforcementLevel + block + permission + + none + + + + + +``` + +## Set all removable media to be read-only + +The following example configures all removable media to be read-only. Note the `read` permission that is applied at the top level of the policy, meaning that all write and execute operations will be disallowed. + +```xml + + + + + deviceControl + + removableMediaPolicy + + enforcementLevel + block + permission + + read + + + + + +``` + +## Disallow program execution from removable media + +The following example shows how program execution from removable media can be disallowed. Note the `read` and `write` permissions that are applied at the top level of the policy. + +```xml + + + + + deviceControl + + removableMediaPolicy + + enforcementLevel + block + permission + + read + write + + + + + +``` + +## Restrict all devices from specific vendors + +The following example restricts all devices from specific vendors (in this case identified by `090c` and `8068`). Note that all other devices will be unrestricted, since the permission defined at the top level of the policy lists all possible permissions (read, write, and execute). + +```xml + + + + + deviceControl + + removableMediaPolicy + + enforcementLevel + block + permission + + read + write + execute + + vendors + + 090c + + permission + + none + + + 8068 + + permission + + none + + + + + + + +``` + +## Restrict specific devices identified by vendor ID, product ID, and serial number + +The following example restricts two specific devices, identified by vendor ID `090c`, product ID `1000`, and serial numbers `04ZSSMHI2O7WBVOA` and `04ZSSMHI2O7WBVOB`. Note that at all other levels of the policy the permissions include all possible values (read, write, and execute), meaning that all other devices will be unrestricted. + +```xml + + + + + deviceControl + + removableMediaPolicy + + enforcementLevel + block + permission + + read + write + execute + + vendors + + 090c + + permission + + read + write + execute + + products + + 1000 + + permission + + read + write + execute + + serialNumbers + + 04ZSSMHI2O7WBVOA + + none + + 04ZSSMHI2O7WBVOB + + none + + + + + + + + + + +``` + +## Related topics + +- [Overview of device control for macOS](mac-device-control-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-overview.md b/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-overview.md new file mode 100644 index 0000000000..86bbbddde0 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-overview.md @@ -0,0 +1,363 @@ +--- +title: How to control USB devices and other removable media on macOS +description: You can configure Microsoft Defender for Endpoint for Mac to reduce threats from removable storage such as USB devices. +keywords: microsoft, defender, atp, mac, device, control, usb, removable, media +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.mktglfcycl: security +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: + - m365-security-compliance + - m365initiative-defender-endpoint +ms.topic: conceptual +ms.technology: mde +--- + +# Device control for macOS + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +> [!IMPORTANT] +> **Device control for macOS is currently in public preview**
+> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. +> For more information, see [Microsoft Defender for Endpoint preview features](preview.md). + +## Requirements + +Device control can be enabled: + +>[!div class="checklist"] +> - Microsoft Defender for Endpoint entitlement (can be trial) +> - Minimum OS version: macOS 10.15.4 or higher +> - Minimum product version: 101.22.78 +> - Your device must be in the InsiderFast Microsoft AutoUpdate update channel. +> +> You can check the update channel using the following command: +> +> ```bash +> mdatp health --field release_ring +> ``` +> +> If your device is not in the InsiderFast update channel, execute the following command from the Terminal. The channel update takes effect next time the product starts (when the next product update is installed or when the device is rebooted). +> +> ```bash +> defaults write com.microsoft.autoupdate2 ChannelName -string InsiderFast +> ``` +> +> Alternatively, if you are in a managed environment (JAMF or Intune), you can configure the update channel remotely. For more information, see [this page](mac-update.md). +> - Your device must be running with system extensions (this is the default on macOS 11 Big Sur). +> +> You can check if your device is running on system extensions, run the following command and verify that it is printing `endpoint_security_extension` to the console: +> +> ```bash +> mdatp health --field real_time_protection_subsystem +> ``` + +## Device control policy + +To configure device control for macOS, you must create a policy that describes the restrictions you want to put in place within your organization. + +The device control policy is included in the configuration profile used to configure all other settings of the product. See [Configuration profile structure](mac-preferences.md#configuration-profile-structure) for more information. + +Within the configuration profile, the device control policy is defined in the following section: + +||| +|:---|:---| +| **Domain** | `com.microsoft.wdav` | +| **Key** | deviceControl | +| **Data type** | Dictionary (nested preference) | +| **Comments** | See the following sections for a description of the dictionary contents. | + +The device control policy can be used to: + +- [Customize the URL target for notifications raised by device control](#customize-url-target-for-notifications-raised-by-device-control) +- [Allow or block removable devices](#allow-or-block-removable-devices) + +### Customize URL target for notifications raised by device control + +When the device control policy that you have put in place is enforced on a device (*e.g.* access to a removable media device is restricted), a notification is displayed to the user. + +![Device control notification](images/mac-device-control-notification.png) + +When end users click this notification, a web page is opened in the default browser. You can configure the URL that is opened when end users click the notification. + +||| +|:---|:---| +| **Domain** | `com.microsoft.wdav` | +| **Key** | navigationTarget | +| **Data type** | String | +| **Comments** | If not defined, the product uses a default URL pointing to a generic page explaining the action taken by the product. | + +### Allow or block removable devices + +The removable media section of the device control policy is used to restrict access to removable media. + +> [!NOTE] +> Currently, only USB devices are supported. + +||| +|:---|:---| +| **Domain** | `com.microsoft.wdav` | +| **Key** | removableMediaPolicy | +| **Data type** | Dictionary (nested preference) | +| **Comments** | See the following sections for a description of the dictionary contents. | + +This section of the policy is hierarchical, allowing for maximum flexibility and covering a wide range of use cases. At the top level are vendors, identified by a vendor ID. For each vendor, there are products, identified by a product ID. Finally, for each product there are serial numbers denoting specific devices. + +``` +|-- policy top level + |-- vendor 1 + |-- product 1 + |-- serial number 1 + ... + |-- serial number N + ... + |-- product N + ... + |-- vendor N +``` + +For information on how to find the device identifiers, see [Look up device identifiers](#look-up-device-identifiers). + +The policy is evaluated from the most specific entry to the most general one. In other words, the product tries to find the most specific match in the policy for each removable media device and apply the permissions at that level. If there is no match, then the next best match is applied, all the way to the permission specified at the top-level, which is the default when a device does not match any other entry. + +#### Policy enforcement level + +Under the removable media section, there is an option to set the enforcement level, which can take one of the following values: + +- `audit` - Under this enforcement level, if access to a device is restricted, a notification is displayed to the user, however the device can still be used. This can be useful to evaluate the effectiveness of a policy. +- `block` - Under this enforcement level, the operations that the user can perform on the device are limited to what is defined in the policy. Furthermore, a notification is raised to the user. + +||| +|:---|:---| +| **Domain** | `com.microsoft.wdav` | +| **Key** | enforcementLevel | +| **Data type** | String | +| **Possible values** | audit (default)
block | + +#### Default permission level + +At the top level of the removable media section, you can configure the default permission level for devices that do not match anything else in the policy. + +This setting can be set to: + +- `none` - no operations can be performed against the device +- A combination of the following: + - `read` - Read operations are permitted on the device + - `write` - Write operations are permitted on the device + - `execute` - Execute operations are permitted on the device + +||| +|:---|:---| +| **Domain** | `com.microsoft.wdav` | +| **Key** | permission | +| **Data type** | Array of strings | +| **Possible values** | none
read
write
execute | + +#### Restrict removable media by vendor, product, and serial number + +As described in [Allow or block removable devices](#allow-or-block-removable-devices), removable media such as USB devices can be identified by the vendor ID, product ID, and serial number. + +At the top level of the removable media policy, you can optionally define more granular restrictions at the vendor level. + +The `vendors` dictionary contains one or more entries, with each entry being identified by the vendor ID. + +||| +|:---|:---| +| **Domain** | `com.microsoft.wdav` | +| **Key** | vendors | +| **Data type** | Dictionary (nested preference) | + +For each vendor, you can specify the desired permission level for devices with that vendor. + +||| +|:---|:---| +| **Domain** | `com.microsoft.wdav` | +| **Key** | permission | +| **Data type** | Array of strings | +| **Possible values** | Same as [Default permission level](#default-permission-level) | + +Furthermore, you can optionally specify the set of products belonging to that vendor for which more granular permissions are defined. The `products` dictionary contains one or more entries, with each entry being identified by the product ID. + +||| +|:---|:---| +| **Domain** | `com.microsoft.wdav` | +| **Key** | products | +| **Data type** | Dictionary (nested preference) | + +For each product, you can specify the desired permission level for that product. + +||| +|:---|:---| +| **Domain** | `com.microsoft.wdav` | +| **Key** | permission | +| **Data type** | Array of strings | +| **Possible values** | Same as [Default permission level](#default-permission-level) | + +Furthermore, you can specify an optional set of serial numbers for which more granular permissions are defined. + +The `serialNumbers` dictionary contains one or more entries, with each entry being identified by the serial number. + +||| +|:---|:---| +| **Domain** | `com.microsoft.wdav` | +| **Key** | serialNumbers | +| **Data type** | Dictionary (nested preference) | + +For each serial number, you can specify the desired permission level. + +||| +|:---|:---| +| **Domain** | `com.microsoft.wdav` | +| **Key** | permission | +| **Data type** | Array of strings | +| **Possible values** | Same as [Default permission level](#default-permission-level) | + +#### Example device control policy + +The following example shows how all of the above concepts can be combined into a policy. In the following example, note the hierarchical nature of the removable media policy. + +```xml + + + + + deviceControl + + navigationTarget + [Custom URL for mount notifications] + removableMediaPolicy + + enforcementLevel + [enforcement level] + permission + + [permission] + + vendors + + [vendor id] + + permission + + [permission] + + products + + [product id] + + permission + + [permission] + + serialNumbers + + [serial-number] + + [permission] + + + + + + + + + + + + + +``` + +We have included more examples of device control policies in the following documents: + +- [Examples of device control policies for Intune](mac-device-control-intune.md) +- [Examples of device control policies for JAMF](mac-device-control-jamf.md) + +#### Look up device identifiers + +To find the vendor ID, product ID, and serial number of a USB device, do the following: + +1. Log into a Mac device. +1. Plug in the USB device for which you want to look up the identifiers. +1. In the top-level menu of macOS, select **About This Mac**. + + ![About this Mac](images/mac-device-control-lookup-1.png) + +1. Select **System Report**. + + ![System Report](images/mac-device-control-lookup-2.png) + +1. From the left column, select **USB**. + + ![View of all USB devices](images/mac-device-control-lookup-3.png) + +1. Under **USB Device Tree**, navigate to the USB device that you plugged in. + + ![Details of a USB device](images/mac-device-control-lookup-4.png) + +1. The vendor ID, product ID, and serial number are displayed. Note that when adding the vendor ID and product ID to the removable media policy, you should only add the part after `0x`. For example, in the below image, vendor ID is `1000` and product ID is `090c`. + +#### Discover USB devices in your organization + +You can view mount, unmount, and volume change events originating from USB devices in Microsoft Defender for Endpoint advanced hunting. This can be helpful to identify suspicious usage activity or perform internal investigations. + +``` +DeviceEvents + | where ActionType == "UsbDriveMount" or ActionType == "UsbDriveUnmount" or ActionType == "UsbDriveDriveLetterChanged" + | where DeviceId == "" +``` + +## Device control policy deployment + +The device control policy must be included next to the other product settings, as described in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md). + +This profile can be deployed using the instructions listed in [Configuration profile deployment](mac-preferences.md#configuration-profile-deployment). + +## Troubleshooting tips + +After pushing the configuration profile through Intune or JAMF, you can check if it was successfully picked up by the product by running the following command from the Terminal: + +```bash +mdatp device-control removable-media policy list +``` + +This command will print to standard output the device control policy that the product is using. In case this prints `Policy is empty`, make sure that (a) the configuration profile has indeed been pushed to your device from the management console, and (b) it is a valid device control policy, as described in this document. + +On a device where the policy has been delivered successfully and where there are one or more devices mounted, you can run the following command to list all devices and the effective permissions applied to them. + +```bash +mdatp device-control removable-media devices list +``` + +Example of output: + +```Output +.Device(s) +|-o Name: Untitled 1, Permission ["read", "execute"] +| |-o Vendor: General "090c" +| |-o Product: USB Flash Disk "1000" +| |-o Serial number: "04ZSSMHI2O7WBVOA" +| |-o Mount point: "/Volumes/TESTUSB" +``` + +In the above example, there is only one mounted device and it has `read` and `execute` permissions. + +## Related topics + +- [Examples of device control policies for Intune](mac-device-control-intune.md) +- [Examples of device control policies for JAMF](mac-device-control-jamf.md) \ No newline at end of file