Blog Post

Microsoft Defender for Endpoint Blog
3 MIN READ

Mac updates: Control your USB devices with Microsoft Defender for Endpoint on Mac!

Helen_Allas's avatar
Helen_Allas
Icon for Microsoft rankMicrosoft
Mar 22, 2021

 

Microsoft Defender for Endpoint on Mac USB storage device control is in general availability as of July 2021. 

 

In line with our commitment to rapidly expand Microsoft Defender for Endpoint cross-platform capabilities, we are preparing a set of enhancements to further reduce organizational exposure attributed to common end user activities. Today we are thrilled to announce the public preview of USB storage device control for Mac!

 

Preventing threats and securing your organization takes a multi-layered approach. Many users will plug in USB removable storage devices without considering their potential security risk. Enabling removable device control policies reduces the attack surface on user’s machines and protects organizations against malware and data loss in these scenarios.

 

 

 

What level of USB device control comes with this new capability?

 

USB storage device control for Mac is designed to regulate the level of access given to external USB storage devices (including SD cards). The access level is controlled through custom policies.

 

  • The capability supports Audit and Block enforcement levels.
  • USB device access can be set to Read, Write, Execute, No access.
  • To achieve a high degree of granularity, USB access level can be specified for Product ID, Vendor ID, and Serial Number.
  • The custom policy allows customization of the URL where user is redirected to when interacting with an end user facing “device restricted” notification.

 

The USB device control policy is hierarchical. At the top of the hierarchy are vendors. For each vendor, there are products. Finally, for each product there are serial numbers denoting specific USB devices.

The policy is evaluated from the most specific entry to the most general one. When a USB device does not match any of the nested entries, the access level for this device defaults to the top-level permission.

 

|-- policy top level

  |-- vendor 1

     |-- product 1

       |-- serial number 1

        …

        |-- serial number N

      …

     |-- product N

  …

  |-- vendor N

 

 

In cases when the USB device control policy restricts Mac end user actions, a notification appears informing the end user about the restriction imposed by the organization:

 

 

 

Security teams have visibility into instances of restricted actions involving USB storage devices in the Microsoft Defender Security Center:

 

 

 

USB device control events can also be explored using advanced hunting queries. For example:

DeviceEvents

    | where ActionType == "UsbDriveMount" or ActionType == "UsbDriveUnmount" or ActionType == "UsbDriveDriveLetterChanged"

    | where DeviceId == "<device ID>"

 

 

What are the available options to deploy USB storage device control policies for Mac?

 

USB device control policies can be deployed using , Intune, and manual deployment. For more information, read the Mac USB storage device control documentation for detailed guidance on policy deployment (including examples of USB device control configurations).

 

 

 

What are the preview prerequisites for USB storage device control for Mac?

 

To experience the USB storage device control for Mac capability in public preview, you’ll need to have preview features turned on in the Microsoft Defender Security Center. If you have not yet opted into previews, we encourage you to turn on preview features in the Microsoft Defender Security Center today.

 

Ensure the following requirements are fulfilled:

  • This new capability is supported on devices running macOS Catalina 10.15.4+
  • Participating devices must be running with system extensions (this is the default on macOS 11 Big Sur)
  • Participating devices must be registered for the InsiderFast Microsoft AutoUpdate channel
  • Minimum client version for Microsoft Defender for Endpoint for this capability is 101.24.59

 

For more information, see the Mac USB device control documentation for additional details on setting and checking the aforementioned prerequisites on participating devices.

 

 

 

We welcome your feedback and look forward to hearing from you!

You can submit feedback by opening Microsoft Defender for Endpoint application on your Mac device and navigating to Help > Send feedback. Another option is to submit feedback via the Microsoft Defender Security Center.

 

Monitor the What's new in Microsoft Defender for Endpoint on Mac page for upcoming announcements (including general availability of Mac USB storage device control). 

 

If you’re not yet taking advantage of Microsoft’s industry leading optics and detection capabilities, sign up for free trial of Microsoft Defender for Endpoint today. 

 

 

Microsoft Defender for Endpoint team

 
 
Updated Aug 25, 2021
Version 16.0
  • Syswpit's avatar
    Syswpit
    Brass Contributor

    Helen_Allas  Also waiting for M1 support - we are deploying MDATP using Intune, but it's unclear to how to get this working with Rosetta 2; One of the kernel extension configurations that we are pushing with Intune is failing on MacBooks with M1.

    What is the procedure for M1 intune managed devices?

    In another blog post, it was stated M1 MacBooks would be supported in Q1 2021.


    Thanks

  • clorenz86's avatar
    clorenz86
    Copper Contributor

    Helen_Allas Thanks. Does that mean there is official support for MDE with Roseta on M1 Macs?
    Were can i find a list with the with known caveats ?

  • clorenz86 , textral , Microsoft Defender for Endpoint blog and our "What's new in Microsoft Defender for Endpoint on Mac" page are the best places to monitor for upcoming announcements related to MDE native support for Apple ARM silicon.  

    In the meantime, Microsoft Defender for Endpoint on Mac will run under Rosetta 2 emulator (with known caveats).

    Given that Rosetta 2 does not come with macOS Big Sur by default, ensuring presence of Rosetta 2 is a prerequisite for running any Intel-targeting app on M1-based Macs.

    Rosetta 2 might need to be reinstalled after macOS minor updates (as raised in this Jamf-nation  discussion).

  • textral's avatar
    textral
    Copper Contributor

    Seconding the request for a timeline - very large MS customer here, and this is impacting a global deployment of Defender ATP as a Sophos replacement.

  • clorenz86's avatar
    clorenz86
    Copper Contributor

    Hi,
    thank you for you Anwser.
    Do you have an approximate release date? Is it supported with Rosetta? So far it runs well 😉

    Best Regards

  • clorenz86's avatar
    clorenz86
    Copper Contributor

    And when will Defender become officially compatible with Apple Silicon m1 Macs?