Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JSON Policy Examples needed for group to represent multiple removable media device serial numbers #46

Open
jbutleru47 opened this issue Apr 26, 2024 · 4 comments
Open

JSON Policy Examples needed for group to represent multiple removable media device serial numbers #46

jbutleru47 opened this issue Apr 26, 2024 · 4 comments
Assignees
@j0shbregman

Comments

@jbutleru47
Copy link

Though the examples so far are great for one-offs, a real-world example is needed for a JSON policy for device control that represents a group listing multiple serial numbers. As such a list would be updated frequently to add more serial numbers for approved devices, it would be optimum to have an example to follow as building a working JSON is complex. I have contacted Microsoft support and they were unwilling to help as it was not a break/fix situation, thus looking to here to assistance that I'm sure will help others.
@jbutleru47
Copy link
Author

The above issue is for macOS.

@j0shbregman j0shbregman self-assigned this May 1, 2024
@j0shbregman
Copy link
Contributor

@jbutleru47 I love the idea of creating an end to end example. My questions are:

  • What permissions (RWX) do the devices have on the "approved list" have?
  • What permissions (RWX) do the devices have that are not on the "approved list" have?

@jbutleru47
Copy link
Author

@j0shbregman Thanks for the reply. For devices on the "approved list" (based on serial number) they have full RWX permissions, everything else (not on the approved list) does not have any RWX permissions.

@jbutleru47
Copy link
Author

Here's an example of a DC JSON for an approved list of Multiple Serial Numbers for removable devices:

{
"groups": [
{
"$type": "device",
"id": "04B91BD0-0806-458E-837C-CA3B919605AF",
"name": "All Removable Media Devices",
"query": {
"$type": "all",
"clauses": [
{
"$type": "primaryId",
"value": "removable_media_devices"
}
]
}
},
{
"$type": "device",
"id": "1F4E9407-2CD3-4E4D-9DF3-210BA488761E",
"name": "Exclude Approved Serial Numbers",
"query": {
"$type": "and",
"clauses": [
{
"$type": "primaryId",
"value": "removable_media_devices"
},
{
"$type": "or",
"clauses": [
{
"$type": "serialNumber",
"value": "60A44C413841F160799200C9"
},
{
"$type": "serialNumber",
"value": "NAC36Q6M"
}
]
}
]
}
}
],
"rules": [
{
"id": "33AC33F1-CCCE-4452-B874-E9F6C6580FBB",
"name": "Deny RWX to all Removable Media Devices except approved serial numbers",
"includeGroups": [
"04B91BD0-0806-458E-837C-CA3B919605AF"
],
"excludeGroups": [
"1F4E9407-2CD3-4E4D-9DF3-210BA488761E"
],
"entries": [
{
"$type": "removableMedia",
"id": "AEA40A77-9C16-4DC5-945D-704F2BDE9550",
"enforcement": {
"$type": "deny"
},
"access": [
"read",
"write",
"execute"
]
},
{
"$type": "removableMedia",
"id": "495A6B6C-F0C8-4B5B-B2F7-AF5B173092DA",
"enforcement": {
"$type": "auditDeny",
"options": [
"send_event",
"show_notification"
]
},
"access": [
"read",
"write",
"execute"
]
}
]
}
],
"settings": {
"features": {
"removableMedia": {
"disable": false
}
},
"global": {
"defaultEnforcement": "allow"
},
"ux": {
"navigationTarget": "https://www.microsoft.com"
}
}
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@j0shbregman j0shbregman

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jbutleru47 @j0shbregman