diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index dbb57c5791..39a4183c0e 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -253,6 +253,10 @@
##### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md)
##### [Set preferences](microsoft-defender-atp/mac-preferences.md)
##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md)
+##### [Device control]()
+###### [Device control overview](microsoft-defender-atp/mac-device-control-overview.md)
+###### [JAMF examples](microsoft-defender-atp/mac-device-control-jamf.md)
+###### [Intune examples](microsoft-defender-atp/mac-device-control-intune.md)
##### [Schedule scans](microsoft-defender-atp/mac-schedule-scan-atp.md)
#### [Troubleshoot]()
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-1.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-1.png
new file mode 100644
index 0000000000..fb946071db
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-2.png
new file mode 100644
index 0000000000..2220e12523
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-3.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-3.png
new file mode 100644
index 0000000000..51110a707c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-4.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-4.png
new file mode 100644
index 0000000000..ff9dafe040
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-notification.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-notification.png
new file mode 100644
index 0000000000..af8250de77
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-notification.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-intune.md
new file mode 100644
index 0000000000..8f77c8695b
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-intune.md
@@ -0,0 +1,426 @@
+---
+title: Examples of device control policies for Intune
+description: Learn how to use device control policies using examples that can be used with Intune.
+keywords: microsoft, defender, atp, mac, device, control, usb, removable, media, intune
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: m365-security
+ms.mktglfcycl: security
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+ - m365-security-compliance
+ - m365initiative-defender-endpoint
+ms.topic: conceptual
+ms.technology: mde
+---
+
+# Examples of device control policies for Intune
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+This document contains examples of device control policies that you can customize for your own organization. These examples are applicable if you are using Intune to manage devices in your enterprise.
+
+## Restrict access to all removable media
+
+The following example restricts access to all removable media. Note the `none` permission that is applied at the top level of the policy, meaning that all file operations will be disallowed.
+
+```xml
+
+
+
+
+ PayloadUUID
+ C4E6A782-0C8D-44AB-A025-EB893987A295
+ PayloadType
+ Configuration
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP settings
+ PayloadDescription
+ Microsoft Defender ATP configuration settings
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ PayloadRemovalDisallowed
+
+ PayloadScope
+ System
+ PayloadContent
+
+
+ PayloadUUID
+ 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295
+ PayloadType
+ com.microsoft.wdav
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP configuration settings
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ deviceControl
+
+ removableMediaPolicy
+
+ enforcementLevel
+ block
+ permission
+
+ none
+
+
+
+
+
+
+
+```
+
+## Set all removable media to be read-only
+
+The following example configures all removable media to be read-only. Note the `read` permission that is applied at the top level of the policy, meaning that all write and execute operations will be disallowed.
+
+```xml
+
+
+
+
+ PayloadUUID
+ C4E6A782-0C8D-44AB-A025-EB893987A295
+ PayloadType
+ Configuration
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP settings
+ PayloadDescription
+ Microsoft Defender ATP configuration settings
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ PayloadRemovalDisallowed
+
+ PayloadScope
+ System
+ PayloadContent
+
+
+ PayloadUUID
+ 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295
+ PayloadType
+ com.microsoft.wdav
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP configuration settings
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ deviceControl
+
+ removableMediaPolicy
+
+ enforcementLevel
+ block
+ permission
+
+ read
+
+
+
+
+
+
+
+```
+
+## Disallow program execution from removable media
+
+The following example shows how program execution from removable media can be disallowed. Note the `read` and `write` permissions that are applied at the top level of the policy.
+
+```xml
+
+
+
+
+ PayloadUUID
+ C4E6A782-0C8D-44AB-A025-EB893987A295
+ PayloadType
+ Configuration
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP settings
+ PayloadDescription
+ Microsoft Defender ATP configuration settings
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ PayloadRemovalDisallowed
+
+ PayloadScope
+ System
+ PayloadContent
+
+
+ PayloadUUID
+ 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295
+ PayloadType
+ com.microsoft.wdav
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP configuration settings
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ deviceControl
+
+ removableMediaPolicy
+
+ enforcementLevel
+ block
+ permission
+
+ read
+ write
+
+
+
+
+
+
+
+```
+
+## Restrict all devices from specific vendors
+
+The following example restricts all devices from specific vendors (in this case identified by `fff0` and `4525`). All other devices will be unrestricted, since the permission defined at the top level of the policy lists all possible permissions (read, write, and execute).
+
+```xml
+
+
+
+
+ PayloadUUID
+ C4E6A782-0C8D-44AB-A025-EB893987A295
+ PayloadType
+ Configuration
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP settings
+ PayloadDescription
+ Microsoft Defender ATP configuration settings
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ PayloadRemovalDisallowed
+
+ PayloadScope
+ System
+ PayloadContent
+
+
+ PayloadUUID
+ 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295
+ PayloadType
+ com.microsoft.wdav
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP configuration settings
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ deviceControl
+
+ removableMediaPolicy
+
+ enforcementLevel
+ block
+ permission
+
+ read
+ write
+ execute
+
+ vendors
+
+ fff0
+
+ permission
+
+ none
+
+
+ 4525
+
+ permission
+
+ none
+
+
+
+
+
+
+
+
+
+```
+
+## Restrict specific devices identified by vendor ID, product ID, and serial number
+
+The following example restricts two specific devices, identified by vendor ID `fff0`, product ID `1000`, and serial numbers `04ZSSMHI2O7WBVOA` and `04ZSSMHI2O7WBVOB`. At all other levels of the policy the permissions include all possible values (read, write, and execute), meaning that all other devices will be unrestricted.
+
+```xml
+
+
+
+
+ PayloadUUID
+ C4E6A782-0C8D-44AB-A025-EB893987A295
+ PayloadType
+ Configuration
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP settings
+ PayloadDescription
+ Microsoft Defender ATP configuration settings
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ PayloadRemovalDisallowed
+
+ PayloadScope
+ System
+ PayloadContent
+
+
+ PayloadUUID
+ 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295
+ PayloadType
+ com.microsoft.wdav
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP configuration settings
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ deviceControl
+
+ removableMediaPolicy
+
+ enforcementLevel
+ block
+ permission
+
+ read
+ write
+ execute
+
+ vendors
+
+ fff0
+
+ permission
+
+ read
+ write
+ execute
+
+ products
+
+ 1000
+
+ permission
+
+ read
+ write
+ execute
+
+ serialNumbers
+
+ 04ZSSMHI2O7WBVOA
+
+ none
+
+ 04ZSSMHI2O7WBVOB
+
+ none
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## Related topics
+
+- [Overview of device control for macOS](mac-device-control-overview.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-jamf.md
new file mode 100644
index 0000000000..a0dbbbf455
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-jamf.md
@@ -0,0 +1,221 @@
+---
+title: Examples of device control policies for JAMF
+description: Learn how to use device control policies using examples that can be used with JAMF.
+keywords: microsoft, defender, endpoint, atp, mac, device, control, usb, removable, media, jamf
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: m365-security
+ms.mktglfcycl: security
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+ - m365-security-compliance
+ - m365initiative-defender-endpoint
+ms.topic: conceptual
+ms.technology: mde
+---
+
+# Examples of device control policies for JAMF
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+This document contains examples of device control policies that you can customize for your own organization. These examples are applicable if you are using JAMF to manage devices in your enterprise.
+
+## Restrict access to all removable media
+
+The following example restricts access to all removable media. Note the `none` permission that is applied at the top level of the policy, meaning that all file operations will be prohibited.
+
+```xml
+
+
+
+
+ deviceControl
+
+ removableMediaPolicy
+
+ enforcementLevel
+ block
+ permission
+
+ none
+
+
+
+
+
+```
+
+## Set all removable media to be read-only
+
+The following example configures all removable media to be read-only. Note the `read` permission that is applied at the top level of the policy, meaning that all write and execute operations will be disallowed.
+
+```xml
+
+
+
+
+ deviceControl
+
+ removableMediaPolicy
+
+ enforcementLevel
+ block
+ permission
+
+ read
+
+
+
+
+
+```
+
+## Disallow program execution from removable media
+
+The following example shows how program execution from removable media can be disallowed. Note the `read` and `write` permissions that are applied at the top level of the policy.
+
+```xml
+
+
+
+
+ deviceControl
+
+ removableMediaPolicy
+
+ enforcementLevel
+ block
+ permission
+
+ read
+ write
+
+
+
+
+
+```
+
+## Restrict all devices from specific vendors
+
+The following example restricts all devices from specific vendors (in this case identified by `fff0` and `4525`). All other devices will be unrestricted, since the permission defined at the top level of the policy lists all possible permissions (read, write, and execute).
+
+```xml
+
+
+
+
+ deviceControl
+
+ removableMediaPolicy
+
+ enforcementLevel
+ block
+ permission
+
+ read
+ write
+ execute
+
+ vendors
+
+ fff0
+
+ permission
+
+ none
+
+
+ 4525
+
+ permission
+
+ none
+
+
+
+
+
+
+
+```
+
+## Restrict specific devices identified by vendor ID, product ID, and serial number
+
+The following example restricts two specific devices, identified by vendor ID `fff0`, product ID `1000`, and serial numbers `04ZSSMHI2O7WBVOA` and `04ZSSMHI2O7WBVOB`. At all other levels of the policy the permissions include all possible values (read, write, and execute), meaning that all other devices will be unrestricted.
+
+```xml
+
+
+
+
+ deviceControl
+
+ removableMediaPolicy
+
+ enforcementLevel
+ block
+ permission
+
+ read
+ write
+ execute
+
+ vendors
+
+ fff0
+
+ permission
+
+ read
+ write
+ execute
+
+ products
+
+ 1000
+
+ permission
+
+ read
+ write
+ execute
+
+ serialNumbers
+
+ 04ZSSMHI2O7WBVOA
+
+ none
+
+ 04ZSSMHI2O7WBVOB
+
+ none
+
+
+
+
+
+
+
+
+
+
+```
+
+## Related topics
+
+- [Overview of device control for macOS](mac-device-control-overview.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-overview.md b/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-overview.md
new file mode 100644
index 0000000000..f0445b47b4
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-device-control-overview.md
@@ -0,0 +1,370 @@
+---
+title: Device control for macOS
+description: Learn how to configure Microsoft Defender for Endpoint for Mac to reduce threats from removable storage such as USB devices.
+keywords: microsoft, defender, atp, mac, device, control, usb, removable, media
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: m365-security
+ms.mktglfcycl: security
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+ - m365-security-compliance
+ - m365initiative-defender-endpoint
+ms.topic: conceptual
+ms.technology: mde
+---
+
+# Device control for macOS
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Requirements
+
+Device control for macOS has the following prerequisites:
+
+>[!div class="checklist"]
+> - Microsoft Defender for Endpoint entitlement (can be trial)
+> - Minimum OS version: macOS 10.15.4 or higher
+> - Minimum product version: 101.24.59
+> - Your device must be running with system extensions (this is the default on macOS 11 Big Sur).
+>
+> You can check if your device is running on system extensions by running the following command and verify that it is printing `endpoint_security_extension` to the console:
+>
+> ```bash
+> mdatp health --field real_time_protection_subsystem
+> ```
+> - Your device must be in `Beta` (previously called `InsiderFast`) Microsoft AutoUpdate update channel. For more information, see [Deploy updates for Microsoft Defender for Endpoint for Mac](mac-updates.md).
+>
+> You can check the update channel using the following command:
+>
+> ```bash
+> mdatp health --field release_ring
+> ```
+>
+> If the above command does not print either `Beta` or `InsiderFast`, execute the following command from the Terminal. The channel update takes effect next time the product starts (when the next product update is installed or when the device is rebooted).
+>
+> ```bash
+> defaults write com.microsoft.autoupdate2 ChannelName -string Beta
+> ```
+>
+> Alternatively, if you are in a managed environment (JAMF or Intune), you can configure the update channel remotely. For more information, see [Deploy updates for Microsoft Defender for Endpoint for Mac](mac-updates.md).
+
+## Device control policy
+
+To configure device control for macOS, you must create a policy that describes the restrictions you want to put in place within your organization.
+
+The device control policy is included in the configuration profile used to configure all other product settings. For more information, see [Configuration profile structure](mac-preferences.md#configuration-profile-structure).
+
+Within the configuration profile, the device control policy is defined in the following section:
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | deviceControl |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+The device control policy can be used to:
+
+- [Customize the URL target for notifications raised by device control](#customize-url-target-for-notifications-raised-by-device-control)
+- [Allow or block removable devices](#allow-or-block-removable-devices)
+
+### Customize URL target for notifications raised by device control
+
+When the device control policy that you have put in place is enforced on a device (for example, access to a removable media device is restricted), a notification is displayed to the user.
+
+
+
+When end users click this notification, a web page is opened in the default browser. You can configure the URL that is opened when end users click the notification.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | navigationTarget |
+| **Data type** | String |
+| **Comments** | If not defined, the product uses a default URL pointing to a generic page explaining the action taken by the product. |
+
+### Allow or block removable devices
+
+The removable media section of the device control policy is used to restrict access to removable media.
+
+> [!NOTE]
+> The following types of removable media are currently supported and can be included in the policy: USB storage devices.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | removableMediaPolicy |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+This section of the policy is hierarchical, allowing for maximum flexibility and covering a wide range of use cases. At the top level are vendors, identified by a vendor ID. For each vendor, there are products, identified by a product ID. Finally, for each product there are serial numbers denoting specific devices.
+
+```
+|-- policy top level
+ |-- vendor 1
+ |-- product 1
+ |-- serial number 1
+ ...
+ |-- serial number N
+ ...
+ |-- product N
+ ...
+ |-- vendor N
+```
+
+For information on how to find the device identifiers, see [Look up device identifiers](#look-up-device-identifiers).
+
+The policy is evaluated from the most specific entry to the most general one. Meaning, when a device is plugged in, the product tries to find the most specific match in the policy for each removable media device and apply the permissions at that level. If there is no match, then the next best match is applied, all the way to the permission specified at the top level, which is the default when a device does not match any other entry in the policy.
+
+#### Policy enforcement level
+
+Under the removable media section, there is an option to set the enforcement level, which can take one of the following values:
+
+- `audit` - Under this enforcement level, if access to a device is restricted, a notification is displayed to the user, however the device can still be used. This enforcement level can be useful to evaluate the effectiveness of a policy.
+- `block` - Under this enforcement level, the operations that the user can perform on the device are limited to what is defined in the policy. Furthermore, a notification is raised to the user.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | enforcementLevel |
+| **Data type** | String |
+| **Possible values** | audit (default)
block |
+
+#### Default permission level
+
+At the top level of the removable media section, you can configure the default permission level for devices that do not match anything else in the policy.
+
+This setting can be set to:
+
+- `none` - No operations can be performed on the device
+- A combination of the following values:
+ - `read` - Read operations are permitted on the device
+ - `write` - Write operations are permitted on the device
+ - `execute` - Execute operations are permitted on the device
+
+> [!NOTE]
+> If `none` is present in the permission level, any other permissions (`read`, `write`, or `execute`) will be ignored.
+
+> [!NOTE]
+> The `execute` permission only refers to execution of Mach-O binaries. It does not include execution of scripts or other types of payloads.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | permission |
+| **Data type** | Array of strings |
+| **Possible values** | none
read
write
execute |
+
+#### Restrict removable media by vendor, product, and serial number
+
+As described in [Allow or block removable devices](#allow-or-block-removable-devices), removable media such as USB devices can be identified by the vendor ID, product ID, and serial number.
+
+At the top level of the removable media policy, you can optionally define more granular restrictions at the vendor level.
+
+The `vendors` dictionary contains one or more entries, with each entry being identified by the vendor ID.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | vendors |
+| **Data type** | Dictionary (nested preference) |
+
+For each vendor, you can specify the desired permission level for devices from that vendor.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | permission |
+| **Data type** | Array of strings |
+| **Possible values** | Same as [Default permission level](#default-permission-level) |
+
+Furthermore, you can optionally specify the set of products belonging to that vendor for which more granular permissions are defined. The `products` dictionary contains one or more entries, with each entry being identified by the product ID.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | products |
+| **Data type** | Dictionary (nested preference) |
+
+For each product, you can specify the desired permission level for that product.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | permission |
+| **Data type** | Array of strings |
+| **Possible values** | Same as [Default permission level](#default-permission-level) |
+
+Furthermore, you can specify an optional set of serial numbers for which more granular permissions are defined.
+
+The `serialNumbers` dictionary contains one or more entries, with each entry being identified by the serial number.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | serialNumbers |
+| **Data type** | Dictionary (nested preference) |
+
+For each serial number, you can specify the desired permission level.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | permission |
+| **Data type** | Array of strings |
+| **Possible values** | Same as [Default permission level](#default-permission-level) |
+
+#### Example device control policy
+
+The following example shows how all of the above concepts can be combined into a device control policy. In the following example, note the hierarchical nature of the removable media policy.
+
+```xml
+
+
+
+
+ deviceControl
+
+ navigationTarget
+ [custom URL for notifications]
+ removableMediaPolicy
+
+ enforcementLevel
+ [enforcement level]
+ permission
+
+ [permission]
+
+
+ vendors
+
+ [vendor id]
+
+ permission
+
+ [permission]
+
+
+ products
+
+ [product id]
+
+ permission
+
+ [permission]
+
+
+ serialNumbers
+
+ [serial-number]
+
+ [permission]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+We have included more examples of device control policies in the following documents:
+
+- [Examples of device control policies for Intune](mac-device-control-intune.md)
+- [Examples of device control policies for JAMF](mac-device-control-jamf.md)
+
+#### Look up device identifiers
+
+To find the vendor ID, product ID, and serial number of a USB device:
+
+1. Log into a Mac device.
+1. Plug in the USB device for which you want to look up the identifiers.
+1. In the top-level menu of macOS, select **About This Mac**.
+
+ 
+
+1. Select **System Report**.
+
+ 
+
+1. From the left column, select **USB**.
+
+ 
+
+1. Under **USB Device Tree**, navigate to the USB device that you plugged in.
+
+ 
+
+1. The vendor ID, product ID, and serial number are displayed. When adding the vendor ID and product ID to the removable media policy, you must only add the part after `0x`. For example, in the below image, vendor ID is `1000` and product ID is `090c`.
+
+#### Discover USB devices in your organization
+
+You can view mount, unmount, and volume change events originating from USB devices in Microsoft Defender for Endpoint advanced hunting. These events can be helpful to identify suspicious usage activity or perform internal investigations.
+
+```
+DeviceEvents
+ | where ActionType == "UsbDriveMount" or ActionType == "UsbDriveUnmount" or ActionType == "UsbDriveDriveLetterChanged"
+ | where DeviceId == ""
+```
+
+## Device control policy deployment
+
+The device control policy must be included next to the other product settings, as described in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md).
+
+This profile can be deployed using the instructions listed in [Configuration profile deployment](mac-preferences.md#configuration-profile-deployment).
+
+## Troubleshooting tips
+
+After pushing the configuration profile through Intune or JAMF, you can check if it was successfully picked up by the product by running the following command from the Terminal:
+
+```bash
+mdatp device-control removable-media policy list
+```
+
+This command will print to standard output the device control policy that the product is using. In case this prints `Policy is empty`, make sure that (a) the configuration profile has indeed been pushed to your device from the management console, and (b) it is a valid device control policy, as described in this document.
+
+On a device where the policy has been delivered successfully and where there are one or more devices plugged in, you can run the following command to list all devices and the effective permissions applied to them.
+
+```bash
+mdatp device-control removable-media devices list
+```
+
+Example of output:
+
+```Output
+.Device(s)
+|-o Name: Untitled 1, Permission ["read", "execute"]
+| |-o Vendor: General "fff0"
+| |-o Product: USB Flash Disk "1000"
+| |-o Serial number: "04ZSSMHI2O7WBVOA"
+| |-o Mount point: "/Volumes/TESTUSB"
+```
+
+In the above example, there is only one removable media device plugged in and it has `read` and `execute` permissions, according to the device control policy that was delivered to the device.
+
+## Related topics
+
+- [Examples of device control policies for Intune](mac-device-control-intune.md)
+- [Examples of device control policies for JAMF](mac-device-control-jamf.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
index 7fdbbda41d..5b920aba75 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
@@ -75,12 +75,12 @@ You'll need to take the following steps:
1. Locate the file `WindowsDefenderATPOnboarding.plist` from the previous section.
- 
+ 
2. In the Jamf Pro dashboard, select **New**.
- 
+ 
3. Enter the following details:
@@ -93,13 +93,13 @@ You'll need to take the following steps:
4. In **Application & Custom Settings** select **Configure**.
- 
+ 
5. Select **Upload File (PLIST file)** then in **Preference Domain** enter: `com.microsoft.wdav.atp`.
- 
+ 
- 
+ 
7. Select **Open** and select the onboarding file.
@@ -118,17 +118,17 @@ You'll need to take the following steps:
- 
+ 
11. Select **Save**.
- 
+ 
12. Select **Done**.
- 
+ 
@@ -268,7 +268,7 @@ You'll need to take the following steps:
3. In the Jamf Pro dashboard, select **General**.
- 
+ 
4. Enter the following details:
@@ -280,64 +280,64 @@ You'll need to take the following steps:
- Distribution Method: Install Automatically(default)
- Level: Computer Level(default)
- 
+ 
5. In **Application & Custom Settings** select **Configure**.
- 
+ 
6. Select **Upload File (PLIST file)**.
- 
+ 
7. In **Preferences Domain**, enter `com.microsoft.wdav`, then select **Upload PLIST File**.
- 
+ 
8. Select **Choose File**.
- 
+ 
9. Select the **MDATP_MDAV_configuration_settings.plist**, then select **Open**.
- 
+ 
10. Select **Upload**.
- 
+ 
- 
+ 
>[!NOTE]
>If you happen to upload the Intune file, you'll get the following error:
- >
+ >
11. Select **Save**.
- 
+ 
12. The file is uploaded.
- 
+ 
- 
+ 
13. Select the **Scope** tab.
- 
+ 
14. Select **Contoso's Machine Group**.
15. Select **Add**, then select **Save**.
- 
+ 
- 
+ 
16. Select **Done**. You'll see the new **Configuration profile**.
- 
+ 
## Step 4: Configure notifications settings
@@ -360,45 +360,45 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Distribution Method: Install Automatically(default)
- Level: Computer Level(default)
- 
+ 
5. Select **Upload File (PLIST file)**.
- 
+ 
6. Select **Choose File** > **MDATP_MDAV_Notification_Settings.plist**.
- 
+ 
- 
+ 
7. Select **Open** > **Upload**.
- 
+ 
- 
+ 
8. Select the **Scope** tab, then select **Add**.
- 
+ 
9. Select **Contoso's Machine Group**.
10. Select **Add**, then select **Save**.
- 
+ 
- 
+ 
11. Select **Done**. You'll see the new **Configuration profile**.
- 
+ 
## Step 5: Configure Microsoft AutoUpdate (MAU)
@@ -410,7 +410,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
ChannelName
- Production
+ Current
HowToCheck
AutomaticDownload
EnableCheckForUpdatesButton
@@ -427,7 +427,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
3. In the Jamf Pro dashboard, select **General**.
- 
+ 
4. Enter the following details:
@@ -441,54 +441,54 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
5. In **Application & Custom Settings** select **Configure**.
- 
+ 
6. Select **Upload File (PLIST file)**.
- 
+ 
7. In **Preference Domain** enter: `com.microsoft.autoupdate2`, then select **Upload PLIST File**.
- 
+ 
8. Select **Choose File**.
- 
+ 
9. Select **MDATP_MDAV_MAU_settings.plist**.
- 
+ 
10. Select **Upload**.
- 
+ 
- 
+ 
11. Select **Save**.
- 
+ 
12. Select the **Scope** tab.
- 
+ 
13. Select **Add**.
- 
+ 
- 
+ 
- 
+ 
14. Select **Done**.
- 
+ 
## Step 6: Grant full disk access to Microsoft Defender for Endpoint
1. In the Jamf Pro dashboard, select **Configuration Profiles**.
- 
+ 
2. Select **+ New**.
@@ -502,11 +502,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Level: Computer level
- 
+ 
4. In **Configure Privacy Preferences Policy Control** select **Configure**.
- 
+ 
5. In **Privacy Preferences Policy Control**, enter the following details:
@@ -515,11 +515,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Code Requirement: `identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9`
- 
+ 
6. Select **+ Add**.
- 
+ 
- Under App or service: Set to **SystemPolicyAllFiles**
@@ -527,11 +527,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
7. Select **Save** (not the one at the bottom right).
- 
+ 
8. Click the `+` sign next to **App Access** to add a new entry.
- 
+ 
9. Enter the following details:
@@ -541,7 +541,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
10. Select **+ Add**.
- 
+ 
- Under App or service: Set to **SystemPolicyAllFiles**
@@ -549,19 +549,19 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
11. Select **Save** (not the one at the bottom right).
- 
+ 
12. Select the **Scope** tab.
- 
+ 
13. Select **+ Add**.
- 
+ 
14. Select **Computer Groups** > under **Group Name** > select **Contoso's MachineGroup**.
- 
+ 
15. Select **Add**.
@@ -569,9 +569,9 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
17. Select **Done**.
- 
+ 
- 
+ 
## Step 7: Approve Kernel extension for Microsoft Defender for Endpoint
@@ -590,11 +590,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Distribution Method: Install Automatically
- Level: Computer Level
- 
+ 
3. In **Configure Approved Kernel Extensions** select **Configure**.
- 
+ 
4. In **Approved Kernel Extensions** Enter the following details:
@@ -602,11 +602,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Display Name: Microsoft Corp.
- Team ID: UBF8T346G9
- 
+ 
5. Select the **Scope** tab.
- 
+ 
6. Select **+ Add**.
@@ -614,15 +614,15 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
8. Select **+ Add**.
- 
+ 
9. Select **Save**.
- 
+ 
10. Select **Done**.
- 
+ 
## Step 8: Approve System extensions for Microsoft Defender for Endpoint
@@ -641,11 +641,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Distribution Method: Install Automatically
- Level: Computer Level
- 
+ 
3. In **System Extensions** select **Configure**.
- 
+ 
4. In **System Extensions** enter the following details:
@@ -656,11 +656,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- **com.microsoft.wdav.epsext**
- **com.microsoft.wdav.netext**
- 
+ 
5. Select the **Scope** tab.
- 
+ 
6. Select **+ Add**.
@@ -668,15 +668,15 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
8. Select **+ Add**.
- 
+ 
9. Select **Save**.
- 
+ 
10. Select **Done**.
- 
+ 
## Step 9: Configure Network Extension
@@ -704,19 +704,19 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender
5. Select **Choose File** and select `microsoft.network-extension.signed.mobileconfig`.
- 
+ 
6. Select **Upload**.
- 
+ 
7. After uploading the file, you are redirected to a new page to finalize the creation of this profile.
- 
+ 
8. Select the **Scope** tab.
- 
+ 
9. Select **+ Add**.
@@ -724,15 +724,15 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender
11. Select **+ Add**.
- 
+ 
12. Select **Save**.
- 
+ 
13. Select **Done**.
- 
+ 
## Step 10: Schedule scans with Microsoft Defender for Endpoint for Mac
Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp).
@@ -741,22 +741,22 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
1. Navigate to where you saved `wdav.pkg`.
- 
+ 
2. Rename it to `wdav_MDM_Contoso_200329.pkg`.
- 
+ 
3. Open the Jamf Pro dashboard.
- 
+ 
4. Select your computer and click the gear icon at the top, then select **Computer Management**.
- 
+ 
5. In **Packages**, select **+ New**.
- 
+ 
6. In **New Package** Enter the following details:
@@ -765,7 +765,7 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
- Category: None (default)
- Filename: Choose File
- 
+ 
Open the file and point it to `wdav.pkg` or `wdav_MDM_Contoso_200329.pkg`.
@@ -779,75 +779,75 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
**Limitations tab**
Keep default values.
- 
+ 
8. Select **Save**. The package is uploaded to Jamf Pro.
- 
+ 
It can take a few minutes for the package to be available for deployment.
- 
+ 
9. Navigate to the **Policies** page.
- 
+ 
10. Select **+ New** to create a new policy.
- 
+ 
11. In **General** Enter the following details:
- Display name: MDATP Onboarding Contoso 200329 v100.86.92 or later
- 
+ 
12. Select **Recurring Check-in**.
- 
+ 
13. Select **Save**.
14. Select **Packages > Configure**.
- 
+ 
15. Select the **Add** button next to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**.
- 
+ 
16. Select **Save**.
- 
+ 
17. Select the **Scope** tab.
- 
+ 
18. Select the target computers.
- 
+ 
**Scope**
Select **Add**.
- 
+ 
- 
+ 
**Self-Service**
- 
+ 
19. Select **Done**.
- 
+ 
- 
+ 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
index 57c75b7e1f..2dcc5842d6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
@@ -55,7 +55,7 @@ These steps assume you already have Defender for Endpoint running on your device
If your device isn't already in the Insider Fast update channel, execute the following command from the Terminal. The channel update takes effect the next time the product starts (when the next product update is installed, or when the device is rebooted).
```bash
- defaults write com.microsoft.autoupdate2 ChannelName -string InsiderFast
+ defaults write com.microsoft.autoupdate2 ChannelName -string Beta
```
Alternatively, if you're in a managed environment (JAMF or Intune), you can configure the update channel remotely. For more information, see [Deploy updates for Microsoft Defender ATP for Mac: Set the channel name](mac-updates.md#set-the-channel-name).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
index 518755e4a6..c0e133184e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
@@ -57,19 +57,27 @@ This section describes the most common preferences that can be used to configure
### Set the channel name
-The channel determines the type and frequency of updates that are offered through MAU. Devices in `InsiderFast` (corresponding to the Insider Fast channel) can try out new features before devices in `External` (corresponding to the Insider Slow channel) and `Production`.
+The channel determines the type and frequency of updates that are offered through MAU. Devices in `Beta` can try out new features before devices in `Preview` and `Current`.
-The `Production` channel contains the most stable version of the product.
+The `Current` channel contains the most stable version of the product.
+
+>[!IMPORTANT]
+> Prior to Microsoft AutoUpdate version 4.29, channels had different names:
+>
+> - `Beta` was named `InsiderFast` (Insider Fast)
+> - `Preview` was named `External` (Insider Slow)
+> - `Current` was named `Production`
>[!TIP]
->In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to `InsiderFast` or `External`.
+>In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to `Beta` or `Preview`.
|||
-|:---|:---|
+|:--|:--|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | ChannelName |
| **Data type** | String |
-| **Possible values** | InsiderFast
External
Production |
+| **Possible values** | Beta
Preview
Current |
+|||
>[!WARNING]
>This setting changes the channel for all applications that are updated through Microsoft AutoUpdate. To change the channel only for Microsoft Defender for Endpoint for Mac, execute the following command after replacing `[channel-name]` with the desired channel:
@@ -82,62 +90,67 @@ The `Production` channel contains the most stable version of the product.
Change how often MAU searches for updates.
|||
-|:---|:---|
+|:--|:--|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | UpdateCheckFrequency |
| **Data type** | Integer |
| **Default value** | 720 (minutes) |
| **Comment** | This value is set in minutes. |
+|||
### Change how MAU interacts with updates
Change how MAU searches for updates.
|||
-|:---|:---|
+|:--|:--|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | HowToCheck |
| **Data type** | String |
| **Possible values** | Manual
AutomaticCheck
AutomaticDownload |
| **Comment** | Note that AutomaticDownload will do a download and install silently if possible. |
+|||
### Change whether the "Check for Updates" button is enabled
Change whether local users will be able to click the "Check for Updates" option in the Microsoft AutoUpdate user interface.
|||
-|:---|:---|
+|:--|:--|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | EnableCheckForUpdatesButton |
| **Data type** | Boolean |
| **Possible values** | True (default)
False |
+|||
### Disable Insider checkbox
Set to true to make the "Join the Office Insider Program..." checkbox unavailable / greyed out to users.
|||
-|:---|:---|
+|:--|:--|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | DisableInsiderCheckbox |
| **Data type** | Boolean |
| **Possible values** | False (default)
True |
+|||
### Limit the telemetry that is sent from MAU
Set to false to send minimal heartbeat data, no application usage, and no environment details.
|||
-|:---|:---|
+|:--|:--|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | SendAllTelemetryEnabled |
| **Data type** | Boolean |
| **Possible values** | True (default)
False |
+|||
## Example configuration profile
The following configuration profile is used to:
-- Place the device in the Insider Fast channel
+- Place the device in the Beta channel
- Automatically download and install updates
- Enable the "Check for updates" button in the user interface
- Allow users on the device to enroll into the Insider channels
@@ -150,7 +163,7 @@ The following configuration profile is used to:
ChannelName
- InsiderFast
+ Beta
HowToCheck
AutomaticDownload
EnableCheckForUpdatesButton
@@ -210,7 +223,7 @@ The following configuration profile is used to:
PayloadEnabled
ChannelName
- InsiderFast
+ Beta
HowToCheck
AutomaticDownload
EnableCheckForUpdatesButton