mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-14 14:27:22 +00:00
Merge pull request #4798 from MicrosoftDocs/user/tudobril/mac-device-control
Device control public preview docs
This commit is contained in:
Tina Burden
GitHub
commit
e0b90fd15f
@ -253,6 +253,10 @@
|
|||||||
##### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md)
|
##### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md)
|
||||||
##### [Set preferences](microsoft-defender-atp/mac-preferences.md)
|
##### [Set preferences](microsoft-defender-atp/mac-preferences.md)
|
||||||
##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md)
|
##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md)
|
||||||
|
##### [Device control]()
|
||||||
|
###### [Device control overview](microsoft-defender-atp/mac-device-control-overview.md)
|
||||||
|
###### [JAMF examples](microsoft-defender-atp/mac-device-control-jamf.md)
|
||||||
|
###### [Intune examples](microsoft-defender-atp/mac-device-control-intune.md)
|
||||||
##### [Schedule scans](microsoft-defender-atp/mac-schedule-scan-atp.md)
|
##### [Schedule scans](microsoft-defender-atp/mac-schedule-scan-atp.md)
|
||||||
|
|
||||||
#### [Troubleshoot]()
|
#### [Troubleshoot]()
|
||||||
|
|||||||
Binary file not shown.
|
After Width: | Height: | Size: 118 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 296 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 426 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 404 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 42 KiB |
@ -0,0 +1,426 @@
|
|||||||
|
---
|
||||||
|
title: Examples of device control policies for Intune
|
||||||
|
description: Learn how to use device control policies using examples that can be used with Intune.
|
||||||
|
keywords: microsoft, defender, atp, mac, device, control, usb, removable, media, intune
|
||||||
|
search.product: eADQiWindows 10XVcnh
|
||||||
|
search.appverid: met150
|
||||||
|
ms.prod: m365-security
|
||||||
|
ms.mktglfcycl: security
|
||||||
|
ms.sitesec: library
|
||||||
|
ms.pagetype: security
|
||||||
|
ms.author: dansimp
|
||||||
|
author: dansimp
|
||||||
|
ms.localizationpriority: medium
|
||||||
|
manager: dansimp
|
||||||
|
audience: ITPro
|
||||||
|
ms.collection:
|
||||||
|
- m365-security-compliance
|
||||||
|
- m365initiative-defender-endpoint
|
||||||
|
ms.topic: conceptual
|
||||||
|
ms.technology: mde
|
||||||
|
---
|
||||||
|
|
||||||
|
# Examples of device control policies for Intune
|
||||||
|
|
||||||
|
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||||
|
|
||||||
|
**Applies to:**
|
||||||
|
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||||
|
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||||
|
|
||||||
|
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||||
|
|
||||||
|
[!include[Prerelease information](../../includes/prerelease.md)]
|
||||||
|
|
||||||
|
This document contains examples of device control policies that you can customize for your own organization. These examples are applicable if you are using Intune to manage devices in your enterprise.
|
||||||
|
|
||||||
|
## Restrict access to all removable media
|
||||||
|
|
||||||
|
The following example restricts access to all removable media. Note the `none` permission that is applied at the top level of the policy, meaning that all file operations will be disallowed.
|
||||||
|
|
||||||
|
```xml
|
||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||||
|
<plist version="1">
|
||||||
|
<dict>
|
||||||
|
<key>PayloadUUID</key>
|
||||||
|
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
|
||||||
|
<key>PayloadType</key>
|
||||||
|
<string>Configuration</string>
|
||||||
|
<key>PayloadOrganization</key>
|
||||||
|
<string>Microsoft</string>
|
||||||
|
<key>PayloadIdentifier</key>
|
||||||
|
<string>com.microsoft.wdav</string>
|
||||||
|
<key>PayloadDisplayName</key>
|
||||||
|
<string>Microsoft Defender ATP settings</string>
|
||||||
|
<key>PayloadDescription</key>
|
||||||
|
<string>Microsoft Defender ATP configuration settings</string>
|
||||||
|
<key>PayloadVersion</key>
|
||||||
|
<integer>1</integer>
|
||||||
|
<key>PayloadEnabled</key>
|
||||||
|
<true/>
|
||||||
|
<key>PayloadRemovalDisallowed</key>
|
||||||
|
<true/>
|
||||||
|
<key>PayloadScope</key>
|
||||||
|
<string>System</string>
|
||||||
|
<key>PayloadContent</key>
|
||||||
|
<array>
|
||||||
|
<dict>
|
||||||
|
<key>PayloadUUID</key>
|
||||||
|
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
|
||||||
|
<key>PayloadType</key>
|
||||||
|
<string>com.microsoft.wdav</string>
|
||||||
|
<key>PayloadOrganization</key>
|
||||||
|
<string>Microsoft</string>
|
||||||
|
<key>PayloadIdentifier</key>
|
||||||
|
<string>com.microsoft.wdav</string>
|
||||||
|
<key>PayloadDisplayName</key>
|
||||||
|
<string>Microsoft Defender ATP configuration settings</string>
|
||||||
|
<key>PayloadDescription</key>
|
||||||
|
<string/>
|
||||||
|
<key>PayloadVersion</key>
|
||||||
|
<integer>1</integer>
|
||||||
|
<key>PayloadEnabled</key>
|
||||||
|
<true/>
|
||||||
|
<key>deviceControl</key>
|
||||||
|
<dict>
|
||||||
|
<key>removableMediaPolicy</key>
|
||||||
|
<dict>
|
||||||
|
<key>enforcementLevel</key>
|
||||||
|
<string>block</string>
|
||||||
|
<key>permission</key>
|
||||||
|
<array>
|
||||||
|
<string>none</string>
|
||||||
|
</array>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</array>
|
||||||
|
</dict>
|
||||||
|
</plist>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Set all removable media to be read-only
|
||||||
|
|
||||||
|
The following example configures all removable media to be read-only. Note the `read` permission that is applied at the top level of the policy, meaning that all write and execute operations will be disallowed.
|
||||||
|
|
||||||
|
```xml
|
||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||||
|
<plist version="1">
|
||||||
|
<dict>
|
||||||
|
<key>PayloadUUID</key>
|
||||||
|
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
|
||||||
|
<key>PayloadType</key>
|
||||||
|
<string>Configuration</string>
|
||||||
|
<key>PayloadOrganization</key>
|
||||||
|
<string>Microsoft</string>
|
||||||
|
<key>PayloadIdentifier</key>
|
||||||
|
<string>com.microsoft.wdav</string>
|
||||||
|
<key>PayloadDisplayName</key>
|
||||||
|
<string>Microsoft Defender ATP settings</string>
|
||||||
|
<key>PayloadDescription</key>
|
||||||
|
<string>Microsoft Defender ATP configuration settings</string>
|
||||||
|
<key>PayloadVersion</key>
|
||||||
|
<integer>1</integer>
|
||||||
|
<key>PayloadEnabled</key>
|
||||||
|
<true/>
|
||||||
|
<key>PayloadRemovalDisallowed</key>
|
||||||
|
<true/>
|
||||||
|
<key>PayloadScope</key>
|
||||||
|
<string>System</string>
|
||||||
|
<key>PayloadContent</key>
|
||||||
|
<array>
|
||||||
|
<dict>
|
||||||
|
<key>PayloadUUID</key>
|
||||||
|
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
|
||||||
|
<key>PayloadType</key>
|
||||||
|
<string>com.microsoft.wdav</string>
|
||||||
|
<key>PayloadOrganization</key>
|
||||||
|
<string>Microsoft</string>
|
||||||
|
<key>PayloadIdentifier</key>
|
||||||
|
<string>com.microsoft.wdav</string>
|
||||||
|
<key>PayloadDisplayName</key>
|
||||||
|
<string>Microsoft Defender ATP configuration settings</string>
|
||||||
|
<key>PayloadDescription</key>
|
||||||
|
<string/>
|
||||||
|
<key>PayloadVersion</key>
|
||||||
|
<integer>1</integer>
|
||||||
|
<key>PayloadEnabled</key>
|
||||||
|
<true/>
|
||||||
|
<key>deviceControl</key>
|
||||||
|
<dict>
|
||||||
|
<key>removableMediaPolicy</key>
|
||||||
|
<dict>
|
||||||
|
<key>enforcementLevel</key>
|
||||||
|
<string>block</string>
|
||||||
|
<key>permission</key>
|
||||||
|
<array>
|
||||||
|
<string>read</string>
|
||||||
|
</array>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</array>
|
||||||
|
</dict>
|
||||||
|
</plist>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Disallow program execution from removable media
|
||||||
|
|
||||||
|
The following example shows how program execution from removable media can be disallowed. Note the `read` and `write` permissions that are applied at the top level of the policy.
|
||||||
|
|
||||||
|
```xml
|
||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||||
|
<plist version="1">
|
||||||
|
<dict>
|
||||||
|
<key>PayloadUUID</key>
|
||||||
|
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
|
||||||
|
<key>PayloadType</key>
|
||||||
|
<string>Configuration</string>
|
||||||
|
<key>PayloadOrganization</key>
|
||||||
|
<string>Microsoft</string>
|
||||||
|
<key>PayloadIdentifier</key>
|
||||||
|
<string>com.microsoft.wdav</string>
|
||||||
|
<key>PayloadDisplayName</key>
|
||||||
|
<string>Microsoft Defender ATP settings</string>
|
||||||
|
<key>PayloadDescription</key>
|
||||||
|
<string>Microsoft Defender ATP configuration settings</string>
|
||||||
|
<key>PayloadVersion</key>
|
||||||
|
<integer>1</integer>
|
||||||
|
<key>PayloadEnabled</key>
|
||||||
|
<true/>
|
||||||
|
<key>PayloadRemovalDisallowed</key>
|
||||||
|
<true/>
|
||||||
|
<key>PayloadScope</key>
|
||||||
|
<string>System</string>
|
||||||
|
<key>PayloadContent</key>
|
||||||
|
<array>
|
||||||
|
<dict>
|
||||||
|
<key>PayloadUUID</key>
|
||||||
|
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
|
||||||
|
<key>PayloadType</key>
|
||||||
|
<string>com.microsoft.wdav</string>
|
||||||
|
<key>PayloadOrganization</key>
|
||||||
|
<string>Microsoft</string>
|
||||||
|
<key>PayloadIdentifier</key>
|
||||||
|
<string>com.microsoft.wdav</string>
|
||||||
|
<key>PayloadDisplayName</key>
|
||||||
|
<string>Microsoft Defender ATP configuration settings</string>
|
||||||
|
<key>PayloadDescription</key>
|
||||||
|
<string/>
|
||||||
|
<key>PayloadVersion</key>
|
||||||
|
<integer>1</integer>
|
||||||
|
<key>PayloadEnabled</key>
|
||||||
|
<true/>
|
||||||
|
<key>deviceControl</key>
|
||||||
|
<dict>
|
||||||
|
<key>removableMediaPolicy</key>
|
||||||
|
<dict>
|
||||||
|
<key>enforcementLevel</key>
|
||||||
|
<string>block</string>
|
||||||
|
<key>permission</key>
|
||||||
|
<array>
|
||||||
|
<string>read</string>
|
||||||
|
<string>write</string>
|
||||||
|
</array>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</array>
|
||||||
|
</dict>
|
||||||
|
</plist>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Restrict all devices from specific vendors
|
||||||
|
|
||||||
|
The following example restricts all devices from specific vendors (in this case identified by `fff0` and `4525`). All other devices will be unrestricted, since the permission defined at the top level of the policy lists all possible permissions (read, write, and execute).
|
||||||
|
|
||||||
|
```xml
|
||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||||
|
<plist version="1">
|
||||||
|
<dict>
|
||||||
|
<key>PayloadUUID</key>
|
||||||
|
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
|
||||||
|
<key>PayloadType</key>
|
||||||
|
<string>Configuration</string>
|
||||||
|
<key>PayloadOrganization</key>
|
||||||
|
<string>Microsoft</string>
|
||||||
|
<key>PayloadIdentifier</key>
|
||||||
|
<string>com.microsoft.wdav</string>
|
||||||
|
<key>PayloadDisplayName</key>
|
||||||
|
<string>Microsoft Defender ATP settings</string>
|
||||||
|
<key>PayloadDescription</key>
|
||||||
|
<string>Microsoft Defender ATP configuration settings</string>
|
||||||
|
<key>PayloadVersion</key>
|
||||||
|
<integer>1</integer>
|
||||||
|
<key>PayloadEnabled</key>
|
||||||
|
<true/>
|
||||||
|
<key>PayloadRemovalDisallowed</key>
|
||||||
|
<true/>
|
||||||
|
<key>PayloadScope</key>
|
||||||
|
<string>System</string>
|
||||||
|
<key>PayloadContent</key>
|
||||||
|
<array>
|
||||||
|
<dict>
|
||||||
|
<key>PayloadUUID</key>
|
||||||
|
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
|
||||||
|
<key>PayloadType</key>
|
||||||
|
<string>com.microsoft.wdav</string>
|
||||||
|
<key>PayloadOrganization</key>
|
||||||
|
<string>Microsoft</string>
|
||||||
|
<key>PayloadIdentifier</key>
|
||||||
|
<string>com.microsoft.wdav</string>
|
||||||
|
<key>PayloadDisplayName</key>
|
||||||
|
<string>Microsoft Defender ATP configuration settings</string>
|
||||||
|
<key>PayloadDescription</key>
|
||||||
|
<string/>
|
||||||
|
<key>PayloadVersion</key>
|
||||||
|
<integer>1</integer>
|
||||||
|
<key>PayloadEnabled</key>
|
||||||
|
<true/>
|
||||||
|
<key>deviceControl</key>
|
||||||
|
<dict>
|
||||||
|
<key>removableMediaPolicy</key>
|
||||||
|
<dict>
|
||||||
|
<key>enforcementLevel</key>
|
||||||
|
<string>block</string>
|
||||||
|
<key>permission</key>
|
||||||
|
<array>
|
||||||
|
<string>read</string>
|
||||||
|
<string>write</string>
|
||||||
|
<string>execute</string>
|
||||||
|
</array>
|
||||||
|
<key>vendors</key>
|
||||||
|
<dict>
|
||||||
|
<key>fff0</key>
|
||||||
|
<dict>
|
||||||
|
<key>permission</key>
|
||||||
|
<array>
|
||||||
|
<string>none</string>
|
||||||
|
</array>
|
||||||
|
</dict>
|
||||||
|
<key>4525</key>
|
||||||
|
<dict>
|
||||||
|
<key>permission</key>
|
||||||
|
<array>
|
||||||
|
<string>none</string>
|
||||||
|
</array>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</array>
|
||||||
|
</dict>
|
||||||
|
</plist>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Restrict specific devices identified by vendor ID, product ID, and serial number
|
||||||
|
|
||||||
|
The following example restricts two specific devices, identified by vendor ID `fff0`, product ID `1000`, and serial numbers `04ZSSMHI2O7WBVOA` and `04ZSSMHI2O7WBVOB`. At all other levels of the policy the permissions include all possible values (read, write, and execute), meaning that all other devices will be unrestricted.
|
||||||
|
|
||||||
|
```xml
|
||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||||
|
<plist version="1">
|
||||||
|
<dict>
|
||||||
|
<key>PayloadUUID</key>
|
||||||
|
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
|
||||||
|
<key>PayloadType</key>
|
||||||
|
<string>Configuration</string>
|
||||||
|
<key>PayloadOrganization</key>
|
||||||
|
<string>Microsoft</string>
|
||||||
|
<key>PayloadIdentifier</key>
|
||||||
|
<string>com.microsoft.wdav</string>
|
||||||
|
<key>PayloadDisplayName</key>
|
||||||
|
<string>Microsoft Defender ATP settings</string>
|
||||||
|
<key>PayloadDescription</key>
|
||||||
|
<string>Microsoft Defender ATP configuration settings</string>
|
||||||
|
<key>PayloadVersion</key>
|
||||||
|
<integer>1</integer>
|
||||||
|
<key>PayloadEnabled</key>
|
||||||
|
<true/>
|
||||||
|
<key>PayloadRemovalDisallowed</key>
|
||||||
|
<true/>
|
||||||
|
<key>PayloadScope</key>
|
||||||
|
<string>System</string>
|
||||||
|
<key>PayloadContent</key>
|
||||||
|
<array>
|
||||||
|
<dict>
|
||||||
|
<key>PayloadUUID</key>
|
||||||
|
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
|
||||||
|
<key>PayloadType</key>
|
||||||
|
<string>com.microsoft.wdav</string>
|
||||||
|
<key>PayloadOrganization</key>
|
||||||
|
<string>Microsoft</string>
|
||||||
|
<key>PayloadIdentifier</key>
|
||||||
|
<string>com.microsoft.wdav</string>
|
||||||
|
<key>PayloadDisplayName</key>
|
||||||
|
<string>Microsoft Defender ATP configuration settings</string>
|
||||||
|
<key>PayloadDescription</key>
|
||||||
|
<string/>
|
||||||
|
<key>PayloadVersion</key>
|
||||||
|
<integer>1</integer>
|
||||||
|
<key>PayloadEnabled</key>
|
||||||
|
<true/>
|
||||||
|
<key>deviceControl</key>
|
||||||
|
<dict>
|
||||||
|
<key>removableMediaPolicy</key>
|
||||||
|
<dict>
|
||||||
|
<key>enforcementLevel</key>
|
||||||
|
<string>block</string>
|
||||||
|
<key>permission</key>
|
||||||
|
<array>
|
||||||
|
<string>read</string>
|
||||||
|
<string>write</string>
|
||||||
|
<string>execute</string>
|
||||||
|
</array>
|
||||||
|
<key>vendors</key>
|
||||||
|
<dict>
|
||||||
|
<key>fff0</key>
|
||||||
|
<dict>
|
||||||
|
<key>permission</key>
|
||||||
|
<array>
|
||||||
|
<string>read</string>
|
||||||
|
<string>write</string>
|
||||||
|
<string>execute</string>
|
||||||
|
</array>
|
||||||
|
<key>products</key>
|
||||||
|
<dict>
|
||||||
|
<key>1000</key>
|
||||||
|
<dict>
|
||||||
|
<key>permission</key>
|
||||||
|
<array>
|
||||||
|
<string>read</string>
|
||||||
|
<string>write</string>
|
||||||
|
<string>execute</string>
|
||||||
|
</array>
|
||||||
|
<key>serialNumbers</key>
|
||||||
|
<dict>
|
||||||
|
<key>04ZSSMHI2O7WBVOA</key>
|
||||||
|
<array>
|
||||||
|
<string>none</string>
|
||||||
|
</array>
|
||||||
|
<key>04ZSSMHI2O7WBVOB</key>
|
||||||
|
<array>
|
||||||
|
<string>none</string>
|
||||||
|
</array>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</array>
|
||||||
|
</dict>
|
||||||
|
</plist>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Related topics
|
||||||
|
|
||||||
|
- [Overview of device control for macOS](mac-device-control-overview.md)
|
||||||
@ -0,0 +1,221 @@
|
|||||||
|
---
|
||||||
|
title: Examples of device control policies for JAMF
|
||||||
|
description: Learn how to use device control policies using examples that can be used with JAMF.
|
||||||
|
keywords: microsoft, defender, endpoint, atp, mac, device, control, usb, removable, media, jamf
|
||||||
|
search.product: eADQiWindows 10XVcnh
|
||||||
|
search.appverid: met150
|
||||||
|
ms.prod: m365-security
|
||||||
|
ms.mktglfcycl: security
|
||||||
|
ms.sitesec: library
|
||||||
|
ms.pagetype: security
|
||||||
|
ms.author: dansimp
|
||||||
|
author: dansimp
|
||||||
|
ms.localizationpriority: medium
|
||||||
|
manager: dansimp
|
||||||
|
audience: ITPro
|
||||||
|
ms.collection:
|
||||||
|
- m365-security-compliance
|
||||||
|
- m365initiative-defender-endpoint
|
||||||
|
ms.topic: conceptual
|
||||||
|
ms.technology: mde
|
||||||
|
---
|
||||||
|
|
||||||
|
# Examples of device control policies for JAMF
|
||||||
|
|
||||||
|
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||||
|
|
||||||
|
**Applies to:**
|
||||||
|
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||||
|
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||||
|
|
||||||
|
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||||
|
|
||||||
|
[!include[Prerelease information](../../includes/prerelease.md)]
|
||||||
|
|
||||||
|
This document contains examples of device control policies that you can customize for your own organization. These examples are applicable if you are using JAMF to manage devices in your enterprise.
|
||||||
|
|
||||||
|
## Restrict access to all removable media
|
||||||
|
|
||||||
|
The following example restricts access to all removable media. Note the `none` permission that is applied at the top level of the policy, meaning that all file operations will be prohibited.
|
||||||
|
|
||||||
|
```xml
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||||
|
<plist version="1.0">
|
||||||
|
<dict>
|
||||||
|
<key>deviceControl</key>
|
||||||
|
<dict>
|
||||||
|
<key>removableMediaPolicy</key>
|
||||||
|
<dict>
|
||||||
|
<key>enforcementLevel</key>
|
||||||
|
<string>block</string>
|
||||||
|
<key>permission</key>
|
||||||
|
<array>
|
||||||
|
<string>none</string>
|
||||||
|
</array>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</plist>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Set all removable media to be read-only
|
||||||
|
|
||||||
|
The following example configures all removable media to be read-only. Note the `read` permission that is applied at the top level of the policy, meaning that all write and execute operations will be disallowed.
|
||||||
|
|
||||||
|
```xml
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||||
|
<plist version="1.0">
|
||||||
|
<dict>
|
||||||
|
<key>deviceControl</key>
|
||||||
|
<dict>
|
||||||
|
<key>removableMediaPolicy</key>
|
||||||
|
<dict>
|
||||||
|
<key>enforcementLevel</key>
|
||||||
|
<string>block</string>
|
||||||
|
<key>permission</key>
|
||||||
|
<array>
|
||||||
|
<string>read</string>
|
||||||
|
</array>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</plist>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Disallow program execution from removable media
|
||||||
|
|
||||||
|
The following example shows how program execution from removable media can be disallowed. Note the `read` and `write` permissions that are applied at the top level of the policy.
|
||||||
|
|
||||||
|
```xml
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||||
|
<plist version="1.0">
|
||||||
|
<dict>
|
||||||
|
<key>deviceControl</key>
|
||||||
|
<dict>
|
||||||
|
<key>removableMediaPolicy</key>
|
||||||
|
<dict>
|
||||||
|
<key>enforcementLevel</key>
|
||||||
|
<string>block</string>
|
||||||
|
<key>permission</key>
|
||||||
|
<array>
|
||||||
|
<string>read</string>
|
||||||
|
<string>write</string>
|
||||||
|
</array>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</plist>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Restrict all devices from specific vendors
|
||||||
|
|
||||||
|
The following example restricts all devices from specific vendors (in this case identified by `fff0` and `4525`). All other devices will be unrestricted, since the permission defined at the top level of the policy lists all possible permissions (read, write, and execute).
|
||||||
|
|
||||||
|
```xml
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||||
|
<plist version="1.0">
|
||||||
|
<dict>
|
||||||
|
<key>deviceControl</key>
|
||||||
|
<dict>
|
||||||
|
<key>removableMediaPolicy</key>
|
||||||
|
<dict>
|
||||||
|
<key>enforcementLevel</key>
|
||||||
|
<string>block</string>
|
||||||
|
<key>permission</key>
|
||||||
|
<array>
|
||||||
|
<string>read</string>
|
||||||
|
<string>write</string>
|
||||||
|
<string>execute</string>
|
||||||
|
</array>
|
||||||
|
<key>vendors</key>
|
||||||
|
<dict>
|
||||||
|
<key>fff0</key>
|
||||||
|
<dict>
|
||||||
|
<key>permission</key>
|
||||||
|
<array>
|
||||||
|
<string>none</string>
|
||||||
|
</array>
|
||||||
|
</dict>
|
||||||
|
<key>4525</key>
|
||||||
|
<dict>
|
||||||
|
<key>permission</key>
|
||||||
|
<array>
|
||||||
|
<string>none</string>
|
||||||
|
</array>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</plist>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Restrict specific devices identified by vendor ID, product ID, and serial number
|
||||||
|
|
||||||
|
The following example restricts two specific devices, identified by vendor ID `fff0`, product ID `1000`, and serial numbers `04ZSSMHI2O7WBVOA` and `04ZSSMHI2O7WBVOB`. At all other levels of the policy the permissions include all possible values (read, write, and execute), meaning that all other devices will be unrestricted.
|
||||||
|
|
||||||
|
```xml
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||||
|
<plist version="1.0">
|
||||||
|
<dict>
|
||||||
|
<key>deviceControl</key>
|
||||||
|
<dict>
|
||||||
|
<key>removableMediaPolicy</key>
|
||||||
|
<dict>
|
||||||
|
<key>enforcementLevel</key>
|
||||||
|
<string>block</string>
|
||||||
|
<key>permission</key>
|
||||||
|
<array>
|
||||||
|
<string>read</string>
|
||||||
|
<string>write</string>
|
||||||
|
<string>execute</string>
|
||||||
|
</array>
|
||||||
|
<key>vendors</key>
|
||||||
|
<dict>
|
||||||
|
<key>fff0</key>
|
||||||
|
<dict>
|
||||||
|
<key>permission</key>
|
||||||
|
<array>
|
||||||
|
<string>read</string>
|
||||||
|
<string>write</string>
|
||||||
|
<string>execute</string>
|
||||||
|
</array>
|
||||||
|
<key>products</key>
|
||||||
|
<dict>
|
||||||
|
<key>1000</key>
|
||||||
|
<dict>
|
||||||
|
<key>permission</key>
|
||||||
|
<array>
|
||||||
|
<string>read</string>
|
||||||
|
<string>write</string>
|
||||||
|
<string>execute</string>
|
||||||
|
</array>
|
||||||
|
<key>serialNumbers</key>
|
||||||
|
<dict>
|
||||||
|
<key>04ZSSMHI2O7WBVOA</key>
|
||||||
|
<array>
|
||||||
|
<string>none</string>
|
||||||
|
</array>
|
||||||
|
<key>04ZSSMHI2O7WBVOB</key>
|
||||||
|
<array>
|
||||||
|
<string>none</string>
|
||||||
|
</array>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</plist>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Related topics
|
||||||
|
|
||||||
|
- [Overview of device control for macOS](mac-device-control-overview.md)
|
||||||
@ -0,0 +1,370 @@
|
|||||||
|
---
|
||||||
|
title: Device control for macOS
|
||||||
|
description: Learn how to configure Microsoft Defender for Endpoint for Mac to reduce threats from removable storage such as USB devices.
|
||||||
|
keywords: microsoft, defender, atp, mac, device, control, usb, removable, media
|
||||||
|
search.product: eADQiWindows 10XVcnh
|
||||||
|
search.appverid: met150
|
||||||
|
ms.prod: m365-security
|
||||||
|
ms.mktglfcycl: security
|
||||||
|
ms.sitesec: library
|
||||||
|
ms.pagetype: security
|
||||||
|
ms.author: dansimp
|
||||||
|
author: dansimp
|
||||||
|
ms.localizationpriority: medium
|
||||||
|
manager: dansimp
|
||||||
|
audience: ITPro
|
||||||
|
ms.collection:
|
||||||
|
- m365-security-compliance
|
||||||
|
- m365initiative-defender-endpoint
|
||||||
|
ms.topic: conceptual
|
||||||
|
ms.technology: mde
|
||||||
|
---
|
||||||
|
|
||||||
|
# Device control for macOS
|
||||||
|
|
||||||
|
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||||
|
|
||||||
|
**Applies to:**
|
||||||
|
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||||
|
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||||
|
|
||||||
|
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||||
|
|
||||||
|
[!include[Prerelease information](../../includes/prerelease.md)]
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
Device control for macOS has the following prerequisites:
|
||||||
|
|
||||||
|
>[!div class="checklist"]
|
||||||
|
> - Microsoft Defender for Endpoint entitlement (can be trial)
|
||||||
|
> - Minimum OS version: macOS 10.15.4 or higher
|
||||||
|
> - Minimum product version: 101.24.59
|
||||||
|
> - Your device must be running with system extensions (this is the default on macOS 11 Big Sur).
|
||||||
|
>
|
||||||
|
> You can check if your device is running on system extensions by running the following command and verify that it is printing `endpoint_security_extension` to the console:
|
||||||
|
>
|
||||||
|
> ```bash
|
||||||
|
> mdatp health --field real_time_protection_subsystem
|
||||||
|
> ```
|
||||||
|
> - Your device must be in `Beta` (previously called `InsiderFast`) Microsoft AutoUpdate update channel. For more information, see [Deploy updates for Microsoft Defender for Endpoint for Mac](mac-updates.md).
|
||||||
|
>
|
||||||
|
> You can check the update channel using the following command:
|
||||||
|
>
|
||||||
|
> ```bash
|
||||||
|
> mdatp health --field release_ring
|
||||||
|
> ```
|
||||||
|
>
|
||||||
|
> If the above command does not print either `Beta` or `InsiderFast`, execute the following command from the Terminal. The channel update takes effect next time the product starts (when the next product update is installed or when the device is rebooted).
|
||||||
|
>
|
||||||
|
> ```bash
|
||||||
|
> defaults write com.microsoft.autoupdate2 ChannelName -string Beta
|
||||||
|
> ```
|
||||||
|
>
|
||||||
|
> Alternatively, if you are in a managed environment (JAMF or Intune), you can configure the update channel remotely. For more information, see [Deploy updates for Microsoft Defender for Endpoint for Mac](mac-updates.md).
|
||||||
|
|
||||||
|
## Device control policy
|
||||||
|
|
||||||
|
To configure device control for macOS, you must create a policy that describes the restrictions you want to put in place within your organization.
|
||||||
|
|
||||||
|
The device control policy is included in the configuration profile used to configure all other product settings. For more information, see [Configuration profile structure](mac-preferences.md#configuration-profile-structure).
|
||||||
|
|
||||||
|
Within the configuration profile, the device control policy is defined in the following section:
|
||||||
|
|
||||||
|
|||
|
||||||
|
|:---|:---|
|
||||||
|
| **Domain** | `com.microsoft.wdav` |
|
||||||
|
| **Key** | deviceControl |
|
||||||
|
| **Data type** | Dictionary (nested preference) |
|
||||||
|
| **Comments** | See the following sections for a description of the dictionary contents. |
|
||||||
|
|
||||||
|
The device control policy can be used to:
|
||||||
|
|
||||||
|
- [Customize the URL target for notifications raised by device control](#customize-url-target-for-notifications-raised-by-device-control)
|
||||||
|
- [Allow or block removable devices](#allow-or-block-removable-devices)
|
||||||
|
|
||||||
|
### Customize URL target for notifications raised by device control
|
||||||
|
|
||||||
|
When the device control policy that you have put in place is enforced on a device (for example, access to a removable media device is restricted), a notification is displayed to the user.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
When end users click this notification, a web page is opened in the default browser. You can configure the URL that is opened when end users click the notification.
|
||||||
|
|
||||||
|
|||
|
||||||
|
|:---|:---|
|
||||||
|
| **Domain** | `com.microsoft.wdav` |
|
||||||
|
| **Key** | navigationTarget |
|
||||||
|
| **Data type** | String |
|
||||||
|
| **Comments** | If not defined, the product uses a default URL pointing to a generic page explaining the action taken by the product. |
|
||||||
|
|
||||||
|
### Allow or block removable devices
|
||||||
|
|
||||||
|
The removable media section of the device control policy is used to restrict access to removable media.
|
||||||
|
|
||||||
|
> [!NOTE]
|
||||||
|
> The following types of removable media are currently supported and can be included in the policy: USB storage devices.
|
||||||
|
|
||||||
|
|||
|
||||||
|
|:---|:---|
|
||||||
|
| **Domain** | `com.microsoft.wdav` |
|
||||||
|
| **Key** | removableMediaPolicy |
|
||||||
|
| **Data type** | Dictionary (nested preference) |
|
||||||
|
| **Comments** | See the following sections for a description of the dictionary contents. |
|
||||||
|
|
||||||
|
This section of the policy is hierarchical, allowing for maximum flexibility and covering a wide range of use cases. At the top level are vendors, identified by a vendor ID. For each vendor, there are products, identified by a product ID. Finally, for each product there are serial numbers denoting specific devices.
|
||||||
|
|
||||||
|
```
|
||||||
|
|-- policy top level
|
||||||
|
|-- vendor 1
|
||||||
|
|-- product 1
|
||||||
|
|-- serial number 1
|
||||||
|
...
|
||||||
|
|-- serial number N
|
||||||
|
...
|
||||||
|
|-- product N
|
||||||
|
...
|
||||||
|
|-- vendor N
|
||||||
|
```
|
||||||
|
|
||||||
|
For information on how to find the device identifiers, see [Look up device identifiers](#look-up-device-identifiers).
|
||||||
|
|
||||||
|
The policy is evaluated from the most specific entry to the most general one. Meaning, when a device is plugged in, the product tries to find the most specific match in the policy for each removable media device and apply the permissions at that level. If there is no match, then the next best match is applied, all the way to the permission specified at the top level, which is the default when a device does not match any other entry in the policy.
|
||||||
|
|
||||||
|
#### Policy enforcement level
|
||||||
|
|
||||||
|
Under the removable media section, there is an option to set the enforcement level, which can take one of the following values:
|
||||||
|
|
||||||
|
- `audit` - Under this enforcement level, if access to a device is restricted, a notification is displayed to the user, however the device can still be used. This enforcement level can be useful to evaluate the effectiveness of a policy.
|
||||||
|
- `block` - Under this enforcement level, the operations that the user can perform on the device are limited to what is defined in the policy. Furthermore, a notification is raised to the user.
|
||||||
|
|
||||||
|
|||
|
||||||
|
|:---|:---|
|
||||||
|
| **Domain** | `com.microsoft.wdav` |
|
||||||
|
| **Key** | enforcementLevel |
|
||||||
|
| **Data type** | String |
|
||||||
|
| **Possible values** | audit (default) <br/> block |
|
||||||
|
|
||||||
|
#### Default permission level
|
||||||
|
|
||||||
|
At the top level of the removable media section, you can configure the default permission level for devices that do not match anything else in the policy.
|
||||||
|
|
||||||
|
This setting can be set to:
|
||||||
|
|
||||||
|
- `none` - No operations can be performed on the device
|
||||||
|
- A combination of the following values:
|
||||||
|
- `read` - Read operations are permitted on the device
|
||||||
|
- `write` - Write operations are permitted on the device
|
||||||
|
- `execute` - Execute operations are permitted on the device
|
||||||
|
|
||||||
|
> [!NOTE]
|
||||||
|
> If `none` is present in the permission level, any other permissions (`read`, `write`, or `execute`) will be ignored.
|
||||||
|
|
||||||
|
> [!NOTE]
|
||||||
|
> The `execute` permission only refers to execution of Mach-O binaries. It does not include execution of scripts or other types of payloads.
|
||||||
|
|
||||||
|
|||
|
||||||
|
|:---|:---|
|
||||||
|
| **Domain** | `com.microsoft.wdav` |
|
||||||
|
| **Key** | permission |
|
||||||
|
| **Data type** | Array of strings |
|
||||||
|
| **Possible values** | none <br/> read <br/> write <br/> execute |
|
||||||
|
|
||||||
|
#### Restrict removable media by vendor, product, and serial number
|
||||||
|
|
||||||
|
As described in [Allow or block removable devices](#allow-or-block-removable-devices), removable media such as USB devices can be identified by the vendor ID, product ID, and serial number.
|
||||||
|
|
||||||
|
At the top level of the removable media policy, you can optionally define more granular restrictions at the vendor level.
|
||||||
|
|
||||||
|
The `vendors` dictionary contains one or more entries, with each entry being identified by the vendor ID.
|
||||||
|
|
||||||
|
|||
|
||||||
|
|:---|:---|
|
||||||
|
| **Domain** | `com.microsoft.wdav` |
|
||||||
|
| **Key** | vendors |
|
||||||
|
| **Data type** | Dictionary (nested preference) |
|
||||||
|
|
||||||
|
For each vendor, you can specify the desired permission level for devices from that vendor.
|
||||||
|
|
||||||
|
|||
|
||||||
|
|:---|:---|
|
||||||
|
| **Domain** | `com.microsoft.wdav` |
|
||||||
|
| **Key** | permission |
|
||||||
|
| **Data type** | Array of strings |
|
||||||
|
| **Possible values** | Same as [Default permission level](#default-permission-level) |
|
||||||
|
|
||||||
|
Furthermore, you can optionally specify the set of products belonging to that vendor for which more granular permissions are defined. The `products` dictionary contains one or more entries, with each entry being identified by the product ID.
|
||||||
|
|
||||||
|
|||
|
||||||
|
|:---|:---|
|
||||||
|
| **Domain** | `com.microsoft.wdav` |
|
||||||
|
| **Key** | products |
|
||||||
|
| **Data type** | Dictionary (nested preference) |
|
||||||
|
|
||||||
|
For each product, you can specify the desired permission level for that product.
|
||||||
|
|
||||||
|
|||
|
||||||
|
|:---|:---|
|
||||||
|
| **Domain** | `com.microsoft.wdav` |
|
||||||
|
| **Key** | permission |
|
||||||
|
| **Data type** | Array of strings |
|
||||||
|
| **Possible values** | Same as [Default permission level](#default-permission-level) |
|
||||||
|
|
||||||
|
Furthermore, you can specify an optional set of serial numbers for which more granular permissions are defined.
|
||||||
|
|
||||||
|
The `serialNumbers` dictionary contains one or more entries, with each entry being identified by the serial number.
|
||||||
|
|
||||||
|
|||
|
||||||
|
|:---|:---|
|
||||||
|
| **Domain** | `com.microsoft.wdav` |
|
||||||
|
| **Key** | serialNumbers |
|
||||||
|
| **Data type** | Dictionary (nested preference) |
|
||||||
|
|
||||||
|
For each serial number, you can specify the desired permission level.
|
||||||
|
|
||||||
|
|||
|
||||||
|
|:---|:---|
|
||||||
|
| **Domain** | `com.microsoft.wdav` |
|
||||||
|
| **Key** | permission |
|
||||||
|
| **Data type** | Array of strings |
|
||||||
|
| **Possible values** | Same as [Default permission level](#default-permission-level) |
|
||||||
|
|
||||||
|
#### Example device control policy
|
||||||
|
|
||||||
|
The following example shows how all of the above concepts can be combined into a device control policy. In the following example, note the hierarchical nature of the removable media policy.
|
||||||
|
|
||||||
|
```xml
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||||
|
<plist version="1.0">
|
||||||
|
<dict>
|
||||||
|
<key>deviceControl</key>
|
||||||
|
<dict>
|
||||||
|
<key>navigationTarget</key>
|
||||||
|
<string>[custom URL for notifications]</string>
|
||||||
|
<key>removableMediaPolicy</key>
|
||||||
|
<dict>
|
||||||
|
<key>enforcementLevel</key>
|
||||||
|
<string>[enforcement level]</string> <!-- audit / block -->
|
||||||
|
<key>permission</key>
|
||||||
|
<array>
|
||||||
|
<string>[permission]</string> <!-- none / read / write / execute -->
|
||||||
|
<!-- other permissions -->
|
||||||
|
</array>
|
||||||
|
<key>vendors</key>
|
||||||
|
<dict>
|
||||||
|
<key>[vendor id]</key>
|
||||||
|
<dict>
|
||||||
|
<key>permission</key>
|
||||||
|
<array>
|
||||||
|
<string>[permission]</string> <!-- none / read / write / execute -->
|
||||||
|
<!-- other permissions -->
|
||||||
|
</array>
|
||||||
|
<key>products</key>
|
||||||
|
<dict>
|
||||||
|
<key>[product id]</key>
|
||||||
|
<dict>
|
||||||
|
<key>permission</key>
|
||||||
|
<array>
|
||||||
|
<string>[permission]</string> <!-- none / read / write / execute -->
|
||||||
|
<!-- other permissions -->
|
||||||
|
</array>
|
||||||
|
<key>serialNumbers</key>
|
||||||
|
<dict>
|
||||||
|
<key>[serial-number]</key>
|
||||||
|
<array>
|
||||||
|
<string>[permission]</string> <!-- none / read / write / execute -->
|
||||||
|
<!-- other permissions -->
|
||||||
|
</array>
|
||||||
|
<!-- other serial numbers -->
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
<!-- other products -->
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
<!-- other vendors -->
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
</plist>
|
||||||
|
```
|
||||||
|
|
||||||
|
We have included more examples of device control policies in the following documents:
|
||||||
|
|
||||||
|
- [Examples of device control policies for Intune](mac-device-control-intune.md)
|
||||||
|
- [Examples of device control policies for JAMF](mac-device-control-jamf.md)
|
||||||
|
|
||||||
|
#### Look up device identifiers
|
||||||
|
|
||||||
|
To find the vendor ID, product ID, and serial number of a USB device:
|
||||||
|
|
||||||
|
1. Log into a Mac device.
|
||||||
|
1. Plug in the USB device for which you want to look up the identifiers.
|
||||||
|
1. In the top-level menu of macOS, select **About This Mac**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
1. Select **System Report**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
1. From the left column, select **USB**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
1. Under **USB Device Tree**, navigate to the USB device that you plugged in.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
1. The vendor ID, product ID, and serial number are displayed. When adding the vendor ID and product ID to the removable media policy, you must only add the part after `0x`. For example, in the below image, vendor ID is `1000` and product ID is `090c`.
|
||||||
|
|
||||||
|
#### Discover USB devices in your organization
|
||||||
|
|
||||||
|
You can view mount, unmount, and volume change events originating from USB devices in Microsoft Defender for Endpoint advanced hunting. These events can be helpful to identify suspicious usage activity or perform internal investigations.
|
||||||
|
|
||||||
|
```
|
||||||
|
DeviceEvents
|
||||||
|
| where ActionType == "UsbDriveMount" or ActionType == "UsbDriveUnmount" or ActionType == "UsbDriveDriveLetterChanged"
|
||||||
|
| where DeviceId == "<device ID>"
|
||||||
|
```
|
||||||
|
|
||||||
|
## Device control policy deployment
|
||||||
|
|
||||||
|
The device control policy must be included next to the other product settings, as described in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md).
|
||||||
|
|
||||||
|
This profile can be deployed using the instructions listed in [Configuration profile deployment](mac-preferences.md#configuration-profile-deployment).
|
||||||
|
|
||||||
|
## Troubleshooting tips
|
||||||
|
|
||||||
|
After pushing the configuration profile through Intune or JAMF, you can check if it was successfully picked up by the product by running the following command from the Terminal:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
mdatp device-control removable-media policy list
|
||||||
|
```
|
||||||
|
|
||||||
|
This command will print to standard output the device control policy that the product is using. In case this prints `Policy is empty`, make sure that (a) the configuration profile has indeed been pushed to your device from the management console, and (b) it is a valid device control policy, as described in this document.
|
||||||
|
|
||||||
|
On a device where the policy has been delivered successfully and where there are one or more devices plugged in, you can run the following command to list all devices and the effective permissions applied to them.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
mdatp device-control removable-media devices list
|
||||||
|
```
|
||||||
|
|
||||||
|
Example of output:
|
||||||
|
|
||||||
|
```Output
|
||||||
|
.Device(s)
|
||||||
|
|-o Name: Untitled 1, Permission ["read", "execute"]
|
||||||
|
| |-o Vendor: General "fff0"
|
||||||
|
| |-o Product: USB Flash Disk "1000"
|
||||||
|
| |-o Serial number: "04ZSSMHI2O7WBVOA"
|
||||||
|
| |-o Mount point: "/Volumes/TESTUSB"
|
||||||
|
```
|
||||||
|
|
||||||
|
In the above example, there is only one removable media device plugged in and it has `read` and `execute` permissions, according to the device control policy that was delivered to the device.
|
||||||
|
|
||||||
|
## Related topics
|
||||||
|
|
||||||
|
- [Examples of device control policies for Intune](mac-device-control-intune.md)
|
||||||
|
- [Examples of device control policies for JAMF](mac-device-control-jamf.md)
|
||||||
@ -75,12 +75,12 @@ You'll need to take the following steps:
|
|||||||
|
|
||||||
1. Locate the file `WindowsDefenderATPOnboarding.plist` from the previous section.
|
1. Locate the file `WindowsDefenderATPOnboarding.plist` from the previous section.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
2. In the Jamf Pro dashboard, select **New**.
|
2. In the Jamf Pro dashboard, select **New**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
3. Enter the following details:
|
3. Enter the following details:
|
||||||
|
|
||||||
@ -93,13 +93,13 @@ You'll need to take the following steps:
|
|||||||
|
|
||||||
4. In **Application & Custom Settings** select **Configure**.
|
4. In **Application & Custom Settings** select **Configure**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
5. Select **Upload File (PLIST file)** then in **Preference Domain** enter: `com.microsoft.wdav.atp`.
|
5. Select **Upload File (PLIST file)** then in **Preference Domain** enter: `com.microsoft.wdav.atp`.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
7. Select **Open** and select the onboarding file.
|
7. Select **Open** and select the onboarding file.
|
||||||
|
|
||||||
@ -118,17 +118,17 @@ You'll need to take the following steps:
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
11. Select **Save**.
|
11. Select **Save**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
12. Select **Done**.
|
12. Select **Done**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -268,7 +268,7 @@ You'll need to take the following steps:
|
|||||||
|
|
||||||
3. In the Jamf Pro dashboard, select **General**.
|
3. In the Jamf Pro dashboard, select **General**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
4. Enter the following details:
|
4. Enter the following details:
|
||||||
|
|
||||||
@ -280,64 +280,64 @@ You'll need to take the following steps:
|
|||||||
- Distribution Method: Install Automatically(default)
|
- Distribution Method: Install Automatically(default)
|
||||||
- Level: Computer Level(default)
|
- Level: Computer Level(default)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
5. In **Application & Custom Settings** select **Configure**.
|
5. In **Application & Custom Settings** select **Configure**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
6. Select **Upload File (PLIST file)**.
|
6. Select **Upload File (PLIST file)**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
7. In **Preferences Domain**, enter `com.microsoft.wdav`, then select **Upload PLIST File**.
|
7. In **Preferences Domain**, enter `com.microsoft.wdav`, then select **Upload PLIST File**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
8. Select **Choose File**.
|
8. Select **Choose File**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
9. Select the **MDATP_MDAV_configuration_settings.plist**, then select **Open**.
|
9. Select the **MDATP_MDAV_configuration_settings.plist**, then select **Open**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
10. Select **Upload**.
|
10. Select **Upload**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
>[!NOTE]
|
>[!NOTE]
|
||||||
>If you happen to upload the Intune file, you'll get the following error:<br>
|
>If you happen to upload the Intune file, you'll get the following error:<br>
|
||||||
>
|
>
|
||||||
|
|
||||||
|
|
||||||
11. Select **Save**.
|
11. Select **Save**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
12. The file is uploaded.
|
12. The file is uploaded.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
13. Select the **Scope** tab.
|
13. Select the **Scope** tab.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
14. Select **Contoso's Machine Group**.
|
14. Select **Contoso's Machine Group**.
|
||||||
|
|
||||||
15. Select **Add**, then select **Save**.
|
15. Select **Add**, then select **Save**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
16. Select **Done**. You'll see the new **Configuration profile**.
|
16. Select **Done**. You'll see the new **Configuration profile**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Step 4: Configure notifications settings
|
## Step 4: Configure notifications settings
|
||||||
@ -360,45 +360,45 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
|
|||||||
- Distribution Method: Install Automatically(default)
|
- Distribution Method: Install Automatically(default)
|
||||||
- Level: Computer Level(default)
|
- Level: Computer Level(default)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
5. Select **Upload File (PLIST file)**.
|
5. Select **Upload File (PLIST file)**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
6. Select **Choose File** > **MDATP_MDAV_Notification_Settings.plist**.
|
6. Select **Choose File** > **MDATP_MDAV_Notification_Settings.plist**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
7. Select **Open** > **Upload**.
|
7. Select **Open** > **Upload**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
8. Select the **Scope** tab, then select **Add**.
|
8. Select the **Scope** tab, then select **Add**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
9. Select **Contoso's Machine Group**.
|
9. Select **Contoso's Machine Group**.
|
||||||
|
|
||||||
10. Select **Add**, then select **Save**.
|
10. Select **Add**, then select **Save**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
11. Select **Done**. You'll see the new **Configuration profile**.
|
11. Select **Done**. You'll see the new **Configuration profile**.
|
||||||
|
|
||||||
|
|
||||||
## Step 5: Configure Microsoft AutoUpdate (MAU)
|
## Step 5: Configure Microsoft AutoUpdate (MAU)
|
||||||
|
|
||||||
@ -410,7 +410,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
|
|||||||
<plist version="1.0">
|
<plist version="1.0">
|
||||||
<dict>
|
<dict>
|
||||||
<key>ChannelName</key>
|
<key>ChannelName</key>
|
||||||
<string>Production</string>
|
<string>Current</string>
|
||||||
<key>HowToCheck</key>
|
<key>HowToCheck</key>
|
||||||
<string>AutomaticDownload</string>
|
<string>AutomaticDownload</string>
|
||||||
<key>EnableCheckForUpdatesButton</key>
|
<key>EnableCheckForUpdatesButton</key>
|
||||||
@ -427,7 +427,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
|
|||||||
|
|
||||||
3. In the Jamf Pro dashboard, select **General**.
|
3. In the Jamf Pro dashboard, select **General**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
4. Enter the following details:
|
4. Enter the following details:
|
||||||
|
|
||||||
@ -441,54 +441,54 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
|
|||||||
|
|
||||||
5. In **Application & Custom Settings** select **Configure**.
|
5. In **Application & Custom Settings** select **Configure**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
6. Select **Upload File (PLIST file)**.
|
6. Select **Upload File (PLIST file)**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
7. In **Preference Domain** enter: `com.microsoft.autoupdate2`, then select **Upload PLIST File**.
|
7. In **Preference Domain** enter: `com.microsoft.autoupdate2`, then select **Upload PLIST File**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
8. Select **Choose File**.
|
8. Select **Choose File**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
9. Select **MDATP_MDAV_MAU_settings.plist**.
|
9. Select **MDATP_MDAV_MAU_settings.plist**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
10. Select **Upload**.
|
10. Select **Upload**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
11. Select **Save**.
|
11. Select **Save**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
12. Select the **Scope** tab.
|
12. Select the **Scope** tab.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
13. Select **Add**.
|
13. Select **Add**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
14. Select **Done**.
|
14. Select **Done**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Step 6: Grant full disk access to Microsoft Defender for Endpoint
|
## Step 6: Grant full disk access to Microsoft Defender for Endpoint
|
||||||
|
|
||||||
1. In the Jamf Pro dashboard, select **Configuration Profiles**.
|
1. In the Jamf Pro dashboard, select **Configuration Profiles**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
2. Select **+ New**.
|
2. Select **+ New**.
|
||||||
|
|
||||||
@ -502,11 +502,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
|
|||||||
- Level: Computer level
|
- Level: Computer level
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
4. In **Configure Privacy Preferences Policy Control** select **Configure**.
|
4. In **Configure Privacy Preferences Policy Control** select **Configure**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
5. In **Privacy Preferences Policy Control**, enter the following details:
|
5. In **Privacy Preferences Policy Control**, enter the following details:
|
||||||
|
|
||||||
@ -515,11 +515,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
|
|||||||
- Code Requirement: `identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9`
|
- Code Requirement: `identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9`
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
6. Select **+ Add**.
|
6. Select **+ Add**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- Under App or service: Set to **SystemPolicyAllFiles**
|
- Under App or service: Set to **SystemPolicyAllFiles**
|
||||||
|
|
||||||
@ -527,11 +527,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
|
|||||||
|
|
||||||
7. Select **Save** (not the one at the bottom right).
|
7. Select **Save** (not the one at the bottom right).
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
8. Click the `+` sign next to **App Access** to add a new entry.
|
8. Click the `+` sign next to **App Access** to add a new entry.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
9. Enter the following details:
|
9. Enter the following details:
|
||||||
|
|
||||||
@ -541,7 +541,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
|
|||||||
|
|
||||||
10. Select **+ Add**.
|
10. Select **+ Add**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- Under App or service: Set to **SystemPolicyAllFiles**
|
- Under App or service: Set to **SystemPolicyAllFiles**
|
||||||
|
|
||||||
@ -549,19 +549,19 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
|
|||||||
|
|
||||||
11. Select **Save** (not the one at the bottom right).
|
11. Select **Save** (not the one at the bottom right).
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
12. Select the **Scope** tab.
|
12. Select the **Scope** tab.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
13. Select **+ Add**.
|
13. Select **+ Add**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
14. Select **Computer Groups** > under **Group Name** > select **Contoso's MachineGroup**.
|
14. Select **Computer Groups** > under **Group Name** > select **Contoso's MachineGroup**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
15. Select **Add**.
|
15. Select **Add**.
|
||||||
|
|
||||||
@ -569,9 +569,9 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
|
|||||||
|
|
||||||
17. Select **Done**.
|
17. Select **Done**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Step 7: Approve Kernel extension for Microsoft Defender for Endpoint
|
## Step 7: Approve Kernel extension for Microsoft Defender for Endpoint
|
||||||
@ -590,11 +590,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
|
|||||||
- Distribution Method: Install Automatically
|
- Distribution Method: Install Automatically
|
||||||
- Level: Computer Level
|
- Level: Computer Level
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
3. In **Configure Approved Kernel Extensions** select **Configure**.
|
3. In **Configure Approved Kernel Extensions** select **Configure**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
4. In **Approved Kernel Extensions** Enter the following details:
|
4. In **Approved Kernel Extensions** Enter the following details:
|
||||||
@ -602,11 +602,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
|
|||||||
- Display Name: Microsoft Corp.
|
- Display Name: Microsoft Corp.
|
||||||
- Team ID: UBF8T346G9
|
- Team ID: UBF8T346G9
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
5. Select the **Scope** tab.
|
5. Select the **Scope** tab.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
6. Select **+ Add**.
|
6. Select **+ Add**.
|
||||||
|
|
||||||
@ -614,15 +614,15 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
|
|||||||
|
|
||||||
8. Select **+ Add**.
|
8. Select **+ Add**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
9. Select **Save**.
|
9. Select **Save**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
10. Select **Done**.
|
10. Select **Done**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Step 8: Approve System extensions for Microsoft Defender for Endpoint
|
## Step 8: Approve System extensions for Microsoft Defender for Endpoint
|
||||||
@ -641,11 +641,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
|
|||||||
- Distribution Method: Install Automatically
|
- Distribution Method: Install Automatically
|
||||||
- Level: Computer Level
|
- Level: Computer Level
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
3. In **System Extensions** select **Configure**.
|
3. In **System Extensions** select **Configure**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
4. In **System Extensions** enter the following details:
|
4. In **System Extensions** enter the following details:
|
||||||
|
|
||||||
@ -656,11 +656,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
|
|||||||
- **com.microsoft.wdav.epsext**
|
- **com.microsoft.wdav.epsext**
|
||||||
- **com.microsoft.wdav.netext**
|
- **com.microsoft.wdav.netext**
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
5. Select the **Scope** tab.
|
5. Select the **Scope** tab.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
6. Select **+ Add**.
|
6. Select **+ Add**.
|
||||||
|
|
||||||
@ -668,15 +668,15 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
|
|||||||
|
|
||||||
8. Select **+ Add**.
|
8. Select **+ Add**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
9. Select **Save**.
|
9. Select **Save**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
10. Select **Done**.
|
10. Select **Done**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Step 9: Configure Network Extension
|
## Step 9: Configure Network Extension
|
||||||
|
|
||||||
@ -704,19 +704,19 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender
|
|||||||
|
|
||||||
5. Select **Choose File** and select `microsoft.network-extension.signed.mobileconfig`.
|
5. Select **Choose File** and select `microsoft.network-extension.signed.mobileconfig`.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
6. Select **Upload**.
|
6. Select **Upload**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
7. After uploading the file, you are redirected to a new page to finalize the creation of this profile.
|
7. After uploading the file, you are redirected to a new page to finalize the creation of this profile.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
8. Select the **Scope** tab.
|
8. Select the **Scope** tab.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
9. Select **+ Add**.
|
9. Select **+ Add**.
|
||||||
|
|
||||||
@ -724,15 +724,15 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender
|
|||||||
|
|
||||||
11. Select **+ Add**.
|
11. Select **+ Add**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
12. Select **Save**.
|
12. Select **Save**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
13. Select **Done**.
|
13. Select **Done**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Step 10: Schedule scans with Microsoft Defender for Endpoint for Mac
|
## Step 10: Schedule scans with Microsoft Defender for Endpoint for Mac
|
||||||
Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp).
|
Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp).
|
||||||
@ -741,22 +741,22 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
|
|||||||
|
|
||||||
1. Navigate to where you saved `wdav.pkg`.
|
1. Navigate to where you saved `wdav.pkg`.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
2. Rename it to `wdav_MDM_Contoso_200329.pkg`.
|
2. Rename it to `wdav_MDM_Contoso_200329.pkg`.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
3. Open the Jamf Pro dashboard.
|
3. Open the Jamf Pro dashboard.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
4. Select your computer and click the gear icon at the top, then select **Computer Management**.
|
4. Select your computer and click the gear icon at the top, then select **Computer Management**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
5. In **Packages**, select **+ New**.
|
5. In **Packages**, select **+ New**.
|
||||||
|
|
||||||
|
|
||||||
6. In **New Package** Enter the following details:
|
6. In **New Package** Enter the following details:
|
||||||
|
|
||||||
@ -765,7 +765,7 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
|
|||||||
- Category: None (default)
|
- Category: None (default)
|
||||||
- Filename: Choose File
|
- Filename: Choose File
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Open the file and point it to `wdav.pkg` or `wdav_MDM_Contoso_200329.pkg`.
|
Open the file and point it to `wdav.pkg` or `wdav_MDM_Contoso_200329.pkg`.
|
||||||
|
|
||||||
@ -779,75 +779,75 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
|
|||||||
|
|
||||||
**Limitations tab**<br> Keep default values.
|
**Limitations tab**<br> Keep default values.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
8. Select **Save**. The package is uploaded to Jamf Pro.
|
8. Select **Save**. The package is uploaded to Jamf Pro.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
It can take a few minutes for the package to be available for deployment.
|
It can take a few minutes for the package to be available for deployment.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
9. Navigate to the **Policies** page.
|
9. Navigate to the **Policies** page.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
10. Select **+ New** to create a new policy.
|
10. Select **+ New** to create a new policy.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
11. In **General** Enter the following details:
|
11. In **General** Enter the following details:
|
||||||
|
|
||||||
- Display name: MDATP Onboarding Contoso 200329 v100.86.92 or later
|
- Display name: MDATP Onboarding Contoso 200329 v100.86.92 or later
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
12. Select **Recurring Check-in**.
|
12. Select **Recurring Check-in**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
13. Select **Save**.
|
13. Select **Save**.
|
||||||
|
|
||||||
14. Select **Packages > Configure**.
|
14. Select **Packages > Configure**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
15. Select the **Add** button next to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**.
|
15. Select the **Add** button next to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
16. Select **Save**.
|
16. Select **Save**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
17. Select the **Scope** tab.
|
17. Select the **Scope** tab.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
18. Select the target computers.
|
18. Select the target computers.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
**Scope**
|
**Scope**
|
||||||
|
|
||||||
Select **Add**.
|
Select **Add**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
**Self-Service**
|
**Self-Service**
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
19. Select **Done**.
|
19. Select **Done**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -55,7 +55,7 @@ These steps assume you already have Defender for Endpoint running on your device
|
|||||||
If your device isn't already in the Insider Fast update channel, execute the following command from the Terminal. The channel update takes effect the next time the product starts (when the next product update is installed, or when the device is rebooted).
|
If your device isn't already in the Insider Fast update channel, execute the following command from the Terminal. The channel update takes effect the next time the product starts (when the next product update is installed, or when the device is rebooted).
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
defaults write com.microsoft.autoupdate2 ChannelName -string InsiderFast
|
defaults write com.microsoft.autoupdate2 ChannelName -string Beta
|
||||||
```
|
```
|
||||||
|
|
||||||
Alternatively, if you're in a managed environment (JAMF or Intune), you can configure the update channel remotely. For more information, see [Deploy updates for Microsoft Defender ATP for Mac: Set the channel name](mac-updates.md#set-the-channel-name).
|
Alternatively, if you're in a managed environment (JAMF or Intune), you can configure the update channel remotely. For more information, see [Deploy updates for Microsoft Defender ATP for Mac: Set the channel name](mac-updates.md#set-the-channel-name).
|
||||||
|
|||||||
@ -57,19 +57,27 @@ This section describes the most common preferences that can be used to configure
|
|||||||
|
|
||||||
### Set the channel name
|
### Set the channel name
|
||||||
|
|
||||||
The channel determines the type and frequency of updates that are offered through MAU. Devices in `InsiderFast` (corresponding to the Insider Fast channel) can try out new features before devices in `External` (corresponding to the Insider Slow channel) and `Production`.
|
The channel determines the type and frequency of updates that are offered through MAU. Devices in `Beta` can try out new features before devices in `Preview` and `Current`.
|
||||||
|
|
||||||
The `Production` channel contains the most stable version of the product.
|
The `Current` channel contains the most stable version of the product.
|
||||||
|
|
||||||
|
>[!IMPORTANT]
|
||||||
|
> Prior to Microsoft AutoUpdate version 4.29, channels had different names:
|
||||||
|
>
|
||||||
|
> - `Beta` was named `InsiderFast` (Insider Fast)
|
||||||
|
> - `Preview` was named `External` (Insider Slow)
|
||||||
|
> - `Current` was named `Production`
|
||||||
|
|
||||||
>[!TIP]
|
>[!TIP]
|
||||||
>In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to `InsiderFast` or `External`.
|
>In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to `Beta` or `Preview`.
|
||||||
|
|
||||||
|||
|
|||
|
||||||
|:---|:---|
|
|:--|:--|
|
||||||
| **Domain** | com.microsoft.autoupdate2 |
|
| **Domain** | com.microsoft.autoupdate2 |
|
||||||
| **Key** | ChannelName |
|
| **Key** | ChannelName |
|
||||||
| **Data type** | String |
|
| **Data type** | String |
|
||||||
| **Possible values** | InsiderFast <br/> External <br/> Production |
|
| **Possible values** | Beta <br/> Preview <br/> Current |
|
||||||
|
|||
|
||||||
|
|
||||||
>[!WARNING]
|
>[!WARNING]
|
||||||
>This setting changes the channel for all applications that are updated through Microsoft AutoUpdate. To change the channel only for Microsoft Defender for Endpoint for Mac, execute the following command after replacing `[channel-name]` with the desired channel:
|
>This setting changes the channel for all applications that are updated through Microsoft AutoUpdate. To change the channel only for Microsoft Defender for Endpoint for Mac, execute the following command after replacing `[channel-name]` with the desired channel:
|
||||||
@ -82,62 +90,67 @@ The `Production` channel contains the most stable version of the product.
|
|||||||
Change how often MAU searches for updates.
|
Change how often MAU searches for updates.
|
||||||
|
|
||||||
|||
|
|||
|
||||||
|:---|:---|
|
|:--|:--|
|
||||||
| **Domain** | com.microsoft.autoupdate2 |
|
| **Domain** | com.microsoft.autoupdate2 |
|
||||||
| **Key** | UpdateCheckFrequency |
|
| **Key** | UpdateCheckFrequency |
|
||||||
| **Data type** | Integer |
|
| **Data type** | Integer |
|
||||||
| **Default value** | 720 (minutes) |
|
| **Default value** | 720 (minutes) |
|
||||||
| **Comment** | This value is set in minutes. |
|
| **Comment** | This value is set in minutes. |
|
||||||
|
|||
|
||||||
|
|
||||||
### Change how MAU interacts with updates
|
### Change how MAU interacts with updates
|
||||||
|
|
||||||
Change how MAU searches for updates.
|
Change how MAU searches for updates.
|
||||||
|
|
||||||
|||
|
|||
|
||||||
|:---|:---|
|
|:--|:--|
|
||||||
| **Domain** | com.microsoft.autoupdate2 |
|
| **Domain** | com.microsoft.autoupdate2 |
|
||||||
| **Key** | HowToCheck |
|
| **Key** | HowToCheck |
|
||||||
| **Data type** | String |
|
| **Data type** | String |
|
||||||
| **Possible values** | Manual <br/> AutomaticCheck <br/> AutomaticDownload |
|
| **Possible values** | Manual <br/> AutomaticCheck <br/> AutomaticDownload |
|
||||||
| **Comment** | Note that AutomaticDownload will do a download and install silently if possible. |
|
| **Comment** | Note that AutomaticDownload will do a download and install silently if possible. |
|
||||||
|
|||
|
||||||
|
|
||||||
### Change whether the "Check for Updates" button is enabled
|
### Change whether the "Check for Updates" button is enabled
|
||||||
|
|
||||||
Change whether local users will be able to click the "Check for Updates" option in the Microsoft AutoUpdate user interface.
|
Change whether local users will be able to click the "Check for Updates" option in the Microsoft AutoUpdate user interface.
|
||||||
|
|
||||||
|||
|
|||
|
||||||
|:---|:---|
|
|:--|:--|
|
||||||
| **Domain** | com.microsoft.autoupdate2 |
|
| **Domain** | com.microsoft.autoupdate2 |
|
||||||
| **Key** | EnableCheckForUpdatesButton |
|
| **Key** | EnableCheckForUpdatesButton |
|
||||||
| **Data type** | Boolean |
|
| **Data type** | Boolean |
|
||||||
| **Possible values** | True (default) <br/> False |
|
| **Possible values** | True (default) <br/> False |
|
||||||
|
|||
|
||||||
|
|
||||||
### Disable Insider checkbox
|
### Disable Insider checkbox
|
||||||
|
|
||||||
Set to true to make the "Join the Office Insider Program..." checkbox unavailable / greyed out to users.
|
Set to true to make the "Join the Office Insider Program..." checkbox unavailable / greyed out to users.
|
||||||
|
|
||||||
|||
|
|||
|
||||||
|:---|:---|
|
|:--|:--|
|
||||||
| **Domain** | com.microsoft.autoupdate2 |
|
| **Domain** | com.microsoft.autoupdate2 |
|
||||||
| **Key** | DisableInsiderCheckbox |
|
| **Key** | DisableInsiderCheckbox |
|
||||||
| **Data type** | Boolean |
|
| **Data type** | Boolean |
|
||||||
| **Possible values** | False (default) <br/> True |
|
| **Possible values** | False (default) <br/> True |
|
||||||
|
|||
|
||||||
|
|
||||||
### Limit the telemetry that is sent from MAU
|
### Limit the telemetry that is sent from MAU
|
||||||
|
|
||||||
Set to false to send minimal heartbeat data, no application usage, and no environment details.
|
Set to false to send minimal heartbeat data, no application usage, and no environment details.
|
||||||
|
|
||||||
|||
|
|||
|
||||||
|:---|:---|
|
|:--|:--|
|
||||||
| **Domain** | com.microsoft.autoupdate2 |
|
| **Domain** | com.microsoft.autoupdate2 |
|
||||||
| **Key** | SendAllTelemetryEnabled |
|
| **Key** | SendAllTelemetryEnabled |
|
||||||
| **Data type** | Boolean |
|
| **Data type** | Boolean |
|
||||||
| **Possible values** | True (default) <br/> False |
|
| **Possible values** | True (default) <br/> False |
|
||||||
|
|||
|
||||||
|
|
||||||
## Example configuration profile
|
## Example configuration profile
|
||||||
|
|
||||||
The following configuration profile is used to:
|
The following configuration profile is used to:
|
||||||
- Place the device in the Insider Fast channel
|
- Place the device in the Beta channel
|
||||||
- Automatically download and install updates
|
- Automatically download and install updates
|
||||||
- Enable the "Check for updates" button in the user interface
|
- Enable the "Check for updates" button in the user interface
|
||||||
- Allow users on the device to enroll into the Insider channels
|
- Allow users on the device to enroll into the Insider channels
|
||||||
@ -150,7 +163,7 @@ The following configuration profile is used to:
|
|||||||
<plist version="1.0">
|
<plist version="1.0">
|
||||||
<dict>
|
<dict>
|
||||||
<key>ChannelName</key>
|
<key>ChannelName</key>
|
||||||
<string>InsiderFast</string>
|
<string>Beta</string>
|
||||||
<key>HowToCheck</key>
|
<key>HowToCheck</key>
|
||||||
<string>AutomaticDownload</string>
|
<string>AutomaticDownload</string>
|
||||||
<key>EnableCheckForUpdatesButton</key>
|
<key>EnableCheckForUpdatesButton</key>
|
||||||
@ -210,7 +223,7 @@ The following configuration profile is used to:
|
|||||||
<key>PayloadEnabled</key>
|
<key>PayloadEnabled</key>
|
||||||
<true/>
|
<true/>
|
||||||
<key>ChannelName</key>
|
<key>ChannelName</key>
|
||||||
<string>InsiderFast</string>
|
<string>Beta</string>
|
||||||
<key>HowToCheck</key>
|
<key>HowToCheck</key>
|
||||||
<string>AutomaticDownload</string>
|
<string>AutomaticDownload</string>
|
||||||
<key>EnableCheckForUpdatesButton</key>
|
<key>EnableCheckForUpdatesButton</key>
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user