title | description | keywords | ms.service | ms.mktglfcycl | ms.sitesec | ms.pagetype | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.topic | ms.subservice | search.appverid | ms.date | ||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Examples of device control policies for Intune |
Learn how to use device control policies using examples that can be used with Intune. |
microsoft, defender, Microsoft Defender for Endpoint, mac, device, control, usb, removable, media, intune |
microsoft-365-security |
security |
library |
security |
dansimp |
dansimp |
medium |
dansimp |
ITPro |
|
conceptual |
mde |
met150 |
03/22/2021 |
[!INCLUDE Microsoft 365 Defender rebranding]
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft 365 Defender
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
This document contains examples of device control policies that you can customize for your own organization. These examples are applicable if you are using Intune to manage devices in your enterprise.
The following example restricts access to all removable media. Note the none
permission that is applied at the top level of the policy, meaning that all file operations will be disallowed.
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>none</string>
</array>
</dict>
</dict>
</dict>
</array>
</dict>
</plist>
The following example configures all removable media to be read-only. Note the read
permission that is applied at the top level of the policy, meaning that all write and execute operations will be disallowed.
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>read</string>
</array>
</dict>
</dict>
</dict>
</array>
</dict>
</plist>
The following example shows how program execution from removable media can be disallowed. Note the read
and write
permissions that are applied at the top level of the policy.
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
</array>
</dict>
</dict>
</dict>
</array>
</dict>
</plist>
The following example restricts all devices from specific vendors (in this case identified by fff0
and 4525
). All other devices will be unrestricted, since the permission defined at the top level of the policy lists all possible permissions (read, write, and execute).
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
<string>execute</string>
</array>
<key>vendors</key>
<dict>
<key>fff0</key>
<dict>
<key>permission</key>
<array>
<string>none</string>
</array>
</dict>
<key>4525</key>
<dict>
<key>permission</key>
<array>
<string>none</string>
</array>
</dict>
</dict>
</dict>
</dict>
</dict>
</array>
</dict>
</plist>
The following example restricts two specific devices, identified by vendor ID fff0
, product ID 1000
, and serial numbers 04ZSSMHI2O7WBVOA
and 04ZSSMHI2O7WBVOB
. At all other levels of the policy the permissions include all possible values (read, write, and execute), meaning that all other devices will be unrestricted.
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
<string>execute</string>
</array>
<key>vendors</key>
<dict>
<key>fff0</key>
<dict>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
<string>execute</string>
</array>
<key>products</key>
<dict>
<key>1000</key>
<dict>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
<string>execute</string>
</array>
<key>serialNumbers</key>
<dict>
<key>04ZSSMHI2O7WBVOA</key>
<array>
<string>none</string>
</array>
<key>04ZSSMHI2O7WBVOB</key>
<array>
<string>none</string>
</array>
</dict>
</dict>
</dict>
</dict>
</dict>
</dict>
</dict>
</dict>
</array>
</dict>
</plist>