Device control for macOS (Microsoft)

Requirements

Device control for macOS has the following prerequisites:

Device control policy

To configure device control for macOS, you must create a policy that describes the restrictions you want to put in place within your organization.

The device control policy is included in the configuration profile used to configure all other product settings. For more information, see Configuration profile structure.

Within the configuration profile, the device control policy is defined in the following section:

---

The device control policy can be used to:

• Customize the URL target for notifications raised by device control
• Allow or block removable devices

Customize URL target for notifications raised by device control

When the device control policy that you have put in place is enforced on a device (for example, access to a removable media device is restricted), a notification is displayed to the user.

When end users click this notification, a web page is opened in the default browser. You can configure the URL that is opened when end users click the notification.

---

Allow or block removable devices

The removable media section of the device control policy is used to restrict access to removable media.

---

This section of the policy is hierarchical, allowing for maximum flexibility and covering a wide range of use cases. At the top level are vendors, identified by a vendor ID. For each vendor, there are products, identified by a product ID. Finally, for each product there are serial numbers denoting specific devices.

|-- policy top level
    |-- vendor 1
        |-- product 1
            |-- serial number 1
            ...
            |-- serial number N
        ...
        |-- product N
    ...
    |-- vendor N

For information on how to find the device identifiers, see Look up device identifiers.

The policy is evaluated from the most specific entry to the most general one. Meaning, when a device is plugged in, the product tries to find the most specific match in the policy for each removable media device and apply the permissions at that level. If there is no match, then the next best match is applied, all the way to the permission specified at the top level, which is the default when a device does not match any other entry in the policy.

Policy enforcement level

Under the removable media section, there is an option to set the enforcement level, which can take one of the following values:

• audit – Under this enforcement level, if access to a device is restricted, a notification is displayed to the user, however the device can still be used. This enforcement level can be useful to evaluate the effectiveness of a policy.
• block – Under this enforcement level, the operations that the user can perform on the device are limited to what is defined in the policy. Furthermore, a notification is raised to the user.

---

Default permission level

At the top level of the removable media section, you can configure the default permission level for devices that do not match anything else in the policy.

This setting can be set to:

• none – No operations can be performed on the device
• A combination of the following values:
  • read – Read operations are permitted on the device
  • write – Write operations are permitted on the device
  • execute – Execute operations are permitted on the device

---

Restrict removable media by vendor, product, and serial number

As described in Allow or block removable devices, removable media such as USB devices can be identified by the vendor ID, product ID, and serial number.

At the top level of the removable media policy, you can optionally define more granular restrictions at the vendor level.

The vendors dictionary contains one or more entries, with each entry being identified by the vendor ID.

---

For each vendor, you can specify the desired permission level for devices from that vendor.

---

Furthermore, you can optionally specify the set of products belonging to that vendor for which more granular permissions are defined. The products dictionary contains one or more entries, with each entry being identified by the product ID.

---

For each product, you can specify the desired permission level for that product.

---

Furthermore, you can specify an optional set of serial numbers for which more granular permissions are defined.

The serialNumbers dictionary contains one or more entries, with each entry being identified by the serial number.

---

For each serial number, you can specify the desired permission level.

---

Example device control policy

The following example shows how all of the above concepts can be combined into a device control policy. In the following example, note the hierarchical nature of the removable media policy.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>deviceControl</key>
    <dict>
        <key>navigationTarget</key>
        <string>[custom URL for notifications]</string>
        <key>removableMediaPolicy</key>
        <dict>
            <key>enforcementLevel</key>
            <string>[enforcement level]</string> <!-- audit / block -->
            <key>permission</key>
            <array>
                <string>[permission]</string> <!-- none / read / write / execute -->
                <!-- other permissions -->
            </array>
            <key>vendors</key>
            <dict>
                <key>[vendor id]</key>
                <dict>
                    <key>permission</key>
                    <array>
                        <string>[permission]</string> <!-- none / read / write / execute -->
                        <!-- other permissions -->
                    </array>
                    <key>products</key>
                    <dict>
                        <key>[product id]</key>
                        <dict>
                            <key>permission</key>
                            <array>
                                <string>[permission]</string> <!-- none / read / write / execute -->
                                <!-- other permissions -->
                            </array>
                            <key>serialNumbers</key>
                            <dict>
                                <key>[serial-number]</key>
                                <array>
                                    <string>[permission]</string> <!-- none / read / write / execute -->
                                    <!-- other permissions -->
                                </array>
                                <!-- other serial numbers -->
                            </dict>
                        </dict>
                        <!-- other products -->
                    </dict>
                </dict>
                <!-- other vendors -->
            </dict>
        </dict>
    </dict>
</dict>
</plist>

We have included more examples of device control policies in the following documents:

• Examples of device control policies for Intune
• Examples of device control policies for JAMF

Look up device identifiers

To find the vendor ID, product ID, and serial number of a USB device:

1. Log into a Mac device.
2. Plug in the USB device for which you want to look up the identifiers.
3. In the top-level menu of macOS, select About This Mac.

   

4. Select System Report.

   

5. From the left column, select USB.

   

6. Under USB Device Tree, navigate to the USB device that you plugged in.

   

7. The vendor ID, product ID, and serial number are displayed. When adding the vendor ID and product ID to the removable media policy, you must only add the part after 0x. For example, in the below image, vendor ID is 1000 and product ID is 090c.

Discover USB devices in your organization

You can view mount, unmount, and volume change events originating from USB devices in Microsoft Defender for Endpoint advanced hunting. These events can be helpful to identify suspicious usage activity or perform internal investigations.

DeviceEvents
    | where ActionType == "UsbDriveMounted" or ActionType == "UsbDriveUnmounted" or ActionType == "UsbDriveDriveLetterChanged"
    | where DeviceId == "<device ID>"

Device control policy deployment

The device control policy must be included next to the other product settings, as described in Set preferences for Microsoft Defender for Endpoint on macOS.

This profile can be deployed using the instructions listed in Configuration profile deployment.

Troubleshooting tips

After pushing the configuration profile through Intune or JAMF, you can check if it was successfully picked up by the product by running the following command from the Terminal:

mdatp device-control removable-media policy list

This command will print to standard output the device control policy that the product is using. In case this prints Policy is empty, make sure that (a) the configuration profile has indeed been pushed to your device from the management console, and (b) it is a valid device control policy, as described in this document.

On a device where the policy has been delivered successfully and where there are one or more devices plugged in, you can run the following command to list all devices and the effective permissions applied to them.

mdatp device-control removable-media devices list

Example of output:

.Device(s)
|-o Name: Untitled 1, Permission ["read", "execute"]
| |-o Vendor: General "fff0"
| |-o Product: USB Flash Disk "1000"
| |-o Serial number: "04ZSSMHI2O7WBVOA"
| |-o Mount point: "/Volumes/TESTUSB"

In the above example, there is only one removable media device plugged in and it has read and execute permissions, according to the device control policy that was delivered to the device.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team