How to Configure Device Control on macOS, Use case 1. Deny write access to all USB storage except for specific VendorID and ProductID combinations (Jamf) - Arkthos/The-Escalation-Protocol GitHub Wiki

This article describes how to configure Microsoft Defender for Endpoint (MDE) Device Control on macOS to block write access to all removable media, while still allowing write access to a specific subset of Kingston USB drives based on their Vendor ID and Product ID. The policy is deployed using Jamf Pro.

The guidance includes:

• An overview of how device control works in MDE on macOS
• Step-by-step instructions for building the custom policy
• Validation tips before deployment
• References to official Microsoft documentation

✅ Use case: You want to ensure only company-approved USB drives can be written to on managed macOS devices, as part of your data loss prevention (DLP) or endpoint hardening strategy.

• Product: Microsoft Defender for Endpoint (macOS)
• OS: macOS 11+ (Big Sur or later)
• MDM: Jamf Pro
• Requirement: Defender for Endpoint CLI installed

Microsoft Defender for Endpoint supports device control on macOS, allowing administrators to:

• Block or allow read/write access to specific types of hardware
• Target devices by attributes such as vendorId, productId, and device class
• Use JSON-based policy delivered via MDM configuration profiles

On macOS, device control policies must be authored manually in JSON and validated locally using the Defender CLI before deployment through Jamf.

You need to:

1. Block write access to all removable media (e.g., USB flash drives)
2. Allow write access to a select group of Kingston USB drives, identified by a Vendor ID (0951) and multiple Product IDs

This ensures users can only write to pre-approved USB drives, reducing data exfiltration risk.

We will define:

• A group that matches all removable media devices
• A second group that includes only the approved Kingston USB drives

"groups": [
  {
    "id": "group1",
    "name": "All Removable Media Devices",
    "query": {
      "$type": "primaryId",
      "value": "removable_media_devices"
    }
  },
  {
    "id": "group2",
    "name": "Allowed Kingston USBs",
    "query": {
      "$type": "all",
      "clauses": [
        { "$type": "vendorId", "value": "0951" },
        {
          "$type": "any",
          "clauses": [
            { "$type": "productId", "value": "1234" },
            { "$type": "productId", "value": "5678" },
            { "$type": "productId", "value": "9012" }
          ]
        }
      ]
    }
  }
]

• 0951 is the Vendor ID for Kingston
• The any clause matches any of the listed Product IDs, allowing flexibility if multiple Kingston USB models are in use
• These device groups act as the foundation for rules later in the policy

Create a rule that:

• Includes all removable media
• Excludes the allowed Kingston USB group
• Denies write access
• Optionally audits and notifies on denied attempts

"rules": [
  {
    "id": "rule1",
    "name": "Block Write Access Except for Allowed Kingston Devices",
    "includeGroups": [ "group1" ],
    "excludeGroups": [ "group2" ],
    "entries": [
      {
        "$type": "removableMedia",
        "id": "entry1",
        "enforcement": { "$type": "deny" },
        "access": [ "write" ]
      },
      {
        "$type": "removableMedia",
        "id": "entry2",
        "enforcement": {
          "$type": "auditDeny",
          "options": [ "send_event", "show_notification" ]
        },
        "access": [ "write" ]
      }
    ]
  }
]

• includeGroups targets all USB drives
• excludeGroups removes only the approved Kingston USBs
• deny blocks write access for non-approved drives
• auditDeny triggers event logging and user notifications

Use the Defender CLI to validate your JSON before deployment:

mdatp device-control policy validate --path /path/to/your-policy.json

• Ensures the JSON is syntactically correct and matches Defender’s schema
• Prevents deployment failures due to malformed profiles

Once validated:

1. Wrap the JSON in a Jamf custom configuration profile
2. Use the preference domain: com.microsoft.wdav
3. Deploy the profile to scoped macOS devices

💡 For help creating configuration profiles in Jamf, refer to the Jamf Custom Profiles Guide.

• Always test on a non-production device
• Keep your JSON policy files in version control
• Maintain an inventory of approved Vendor/Product IDs
• Educate users on new restrictions to avoid support tickets

• 📘 Device Control on macOS – Microsoft Docs
• 💾 Microsoft Defender GitHub – Sample JSON Files
• 🛠️ Jamf Pro: Custom Configuration Profiles

You can build simple policies based on your use case using the Policy Builder

Author: Arkthos