Forum Discussion
Ruser
Mar 19, 2024Copper Contributor
external media block on macOS (intune, Defender)
Hello,
I'm trying to create policy (profile) which should Block all USB devices except approved devices e.g Barco ClickShare.
I followed this article, created profile not blocking at all. Could you please what additional actions should be performed on MS Defender side?
Following this article https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-device-control-overview?view=o365-worldwide
Thank you!
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender for Endpoint settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender for Endpoint configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender for Endpoint configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>dlp</key>
<dict>
<key>features</key>
<array>
<dict>
<key>name</key>
<string>DC_in_dlp</string>
<key>state</key>
<string>enabled</string>
</dict>
</array>
</dict>
<key>deviceControl</key>
<dict>
<key>policy</key>
<string>
{
"groups": [
{
"$type": "device",
"id": "0a7c0337-946a-4ea5-9d4c-3cfa6cb4d8e2",
"name": "All Removable Media Devices",
"query": {
"$type": "all",
"clauses": [
{
"$type": "primaryId",
"value": "removable_media_devices"
}
]
}
},
{
"$type": "device",
"id": "ba2ec8ba-2f4c-4e7f-a9f6-4034b7b2c7ed",
"name": "Barco ClickShare",
"query": {
"$type": "all",
"clauses": [
{
"$type": "vendorId",
"value": "0x600"
}
]
}
}
],
"rules": [
{
"id": "69a4a010-acb1-4573-8a58-50cf4ee7of9h",
"name": "Deny Write and Execute to all Removable Media Devices",
"includeGroups": [
"0a7c0337-946a-4ea5-9d4c-3cfa6cb4d8e2b"
],
"excludeGroups": [
"ba2ec8ba-2f4c-4e7f-a9f6-4034b7b2c7ed"
],
"entries": [
{
"__comments": "Deny Write and Execute.",
"$type": "removableMedia",
"id": "c7a13940-5c14-49f6-b0fb-b076ubk6f9dd",
"enforcement": {
"$type": "deny"
},
"access": [
"write",
"execute"
]
},
{
"__comments": "Show UX and send events for all blocked operations.",
"$type": "removableMedia",
"id": "ae5672a9-0746-41e7-8ch1-93777f1bb508",
"enforcement": {
"$type": "auditDeny",
"options": [
"send_event",
"show_notification"
]
},
"access": [
"write",
"execute"
]
}
]
}
],
"settings": {
"features": {
"removableMedia": {
"disable": false
}
},
"global": {
"defaultEnforcement": "allow"
},
"ux": {
"navigationTarget": "Microsoft.com"
}
}
}
</string>
</dict>
</dict>
</array>
</dict>
</plist>
No RepliesBe the first to reply