Using the device control policy sample builder - Arkthos/The-Escalation-Protocol GitHub Wiki

This interactive Python script helps you build basic examples of Microsoft Defender for Endpoint (MDE) device control policies. It guides you through selecting common device types, access rules, and exception conditions โ€” and outputs a valid JSON policy structure that can be deployed via Jamf or Intune.

โš ๏ธ IMPORTANT:
This tool is intended for illustration and prototyping purposes only. It is not a production-ready policy generator. Use it to explore and understand the JSON structure of device control policies โ€” not as a replacement for manual policy design and validation.


โœจ Features

  • Supports both Jamf and Intune deployment scenarios
  • Interactive prompts for:
    • Device types (USB, Bluetooth, Printers, Storage)
    • Access control types (read, write, execute)
    • Enforcement actions (allow, deny, auditDeny)
    • Vendor/Product ID exceptions
    • Additional fields like serialNumber and interfaceClass
  • Generates a complete JSON policy with:
    • groups
    • rules
    • settings
  • Saves the output to your Desktop or prints it to the screen
  • Offers a preview of the policy before saving

๐Ÿงฐ Requirements

  • Python 3.6+
  • macOS, Linux, or Windows with write access to the desktop

๐Ÿš€ Usage

  1. Download the script:
    device_control_policy_generator.py

  2. Run it in a terminal:

    python3 device_control_policy_generator.py
  3. Answer the interactive prompts:

    • Choose one or more device types to control
    • Specify access types (write, read, execute)
    • Define enforcement actions and exceptions
    • Optionally preview the final JSON before saving
  4. The script will attempt to save the generated policy as:

    ~/Desktop/device_control_policy.json
    

๐Ÿงช Validation

Once generated, validate the policy on a macOS device with Microsoft Defender CLI:

mdatp device-control policy validate --path ~/Desktop/device_control_policy.json

๐Ÿ”’ Limitations

  • This tool does not validate policies against the full schema โ€” please test carefully.
  • Generated policies are basic templates โ€” they may need additional customization before real-world deployment.
  • Only a subset of device identification methods are supported (e.g., no friendlyName, interfaceSubClass, etc.).

๐Ÿ‘ท Disclaimer

This tool is provided as-is for educational and advisory use only.
By using it, you acknowledge:

  • You are responsible for testing and validating the output.
  • Microsoft support does not cover the use of custom policy generators.
  • For production scenarios, consult your CSAM or official Microsoft documentation.

๐Ÿ“š References


๐Ÿ“ฌ Feedback

Suggestions or bug reports? Feel free to share ideas for improvement with your engineering team or automation lead.

โš ๏ธ **GitHub.com Fallback** โš ๏ธ