How to Configure Device Control on macOS, Use case 1. Deny write access to all USB storage except for specific VendorID and ProductID combinations (Jamf) - Arkthos/The-Escalation-Protocol GitHub Wiki
This article describes how to configure Microsoft Defender for Endpoint (MDE) Device Control on macOS to block write access to all removable media, while still allowing write access to a specific subset of Kingston USB drives based on their Vendor ID and Product ID. The policy is deployed using Jamf Pro.
The guidance includes:
- An overview of how device control works in MDE on macOS
- Step-by-step instructions for building the custom policy
- Validation tips before deployment
- References to official Microsoft documentation
β Use case: You want to ensure only company-approved USB drives can be written to on managed macOS devices, as part of your data loss prevention (DLP) or endpoint hardening strategy.
- Product: Microsoft Defender for Endpoint (macOS)
- OS: macOS 11+ (Big Sur or later)
- MDM: Jamf Pro
- Requirement: Defender for Endpoint CLI installed
Microsoft Defender for Endpoint supports device control on macOS, allowing administrators to:
- Block or allow read/write access to specific types of hardware
-
Target devices by attributes such as
vendorId
,productId
, and device class - Use JSON-based policy delivered via MDM configuration profiles
On macOS, device control policies must be authored manually in JSON and validated locally using the Defender CLI before deployment through Jamf.
You need to:
- Block write access to all removable media (e.g., USB flash drives)
-
Allow write access to a select group of Kingston USB drives, identified by a Vendor ID (
0951
) and multiple Product IDs
This ensures users can only write to pre-approved USB drives, reducing data exfiltration risk.
We will define:
- A group that matches all removable media devices
- A second group that includes only the approved Kingston USB drives
"groups": [
{
"id": "group1",
"name": "All Removable Media Devices",
"query": {
"$type": "primaryId",
"value": "removable_media_devices"
}
},
{
"id": "group2",
"name": "Allowed Kingston USBs",
"query": {
"$type": "all",
"clauses": [
{ "$type": "vendorId", "value": "0951" },
{
"$type": "any",
"clauses": [
{ "$type": "productId", "value": "1234" },
{ "$type": "productId", "value": "5678" },
{ "$type": "productId", "value": "9012" }
]
}
]
}
}
]
-
0951
is the Vendor ID for Kingston - The
any
clause matches any of the listed Product IDs, allowing flexibility if multiple Kingston USB models are in use - These device groups act as the foundation for rules later in the policy
Create a rule that:
- Includes all removable media
- Excludes the allowed Kingston USB group
- Denies write access
- Optionally audits and notifies on denied attempts
"rules": [
{
"id": "rule1",
"name": "Block Write Access Except for Allowed Kingston Devices",
"includeGroups": [ "group1" ],
"excludeGroups": [ "group2" ],
"entries": [
{
"$type": "removableMedia",
"id": "entry1",
"enforcement": { "$type": "deny" },
"access": [ "write" ]
},
{
"$type": "removableMedia",
"id": "entry2",
"enforcement": {
"$type": "auditDeny",
"options": [ "send_event", "show_notification" ]
},
"access": [ "write" ]
}
]
}
]
-
includeGroups
targets all USB drives -
excludeGroups
removes only the approved Kingston USBs -
deny
blocks write access for non-approved drives -
auditDeny
triggers event logging and user notifications
Use the Defender CLI to validate your JSON before deployment:
mdatp device-control policy validate --path /path/to/your-policy.json
- Ensures the JSON is syntactically correct and matches Defenderβs schema
- Prevents deployment failures due to malformed profiles
Once validated:
- Wrap the JSON in a Jamf custom configuration profile
- Use the preference domain:
com.microsoft.wdav
- Deploy the profile to scoped macOS devices
π‘ For help creating configuration profiles in Jamf, refer to the Jamf Custom Profiles Guide.
- Always test on a non-production device
- Keep your JSON policy files in version control
- Maintain an inventory of approved Vendor/Product IDs
- Educate users on new restrictions to avoid support tickets
- π Device Control on macOS β Microsoft Docs
- πΎ Microsoft Defender GitHub β Sample JSON Files
- π οΈ Jamf Pro: Custom Configuration Profiles
You can build simple policies based on your use case using the Policy Builder
Author: Arkthos