title: Deploy and manage Device Control using Intune description: Learn how to deploy and manage device control policies using Intune. ms.service: defender-endpoint author: limwainstein ms.author: lwainstein ms.reviewer: joshbregman manager: bagol ms.localizationpriority: medium audience: ITPro ms.collection:
- m365-security
- tier3
- mde-macos
ms.topic: install-set-up-deploy
ms.subservice: macos
search.appverid: met150
ms.date: 07/25/2024
appliesto:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender for Business
Microsoft Defender for Endpoint Device Control feature enables you to audit, allow, or prevent the read, write, or execute access to removable storage, and allows you to manage iOS and Portable device and Bluetooth media with or without exclusions.
Before you get started with Removable Storage Access Control, you must confirm your Microsoft 365 subscription. To access and use Removable Storage Access Control, you must have Microsoft 365 E3.
Now, you have groups, rules, and settings, replace the mobileconfig file with those values and put it under the Device Control node. Here's the demo file: mdatp-devicecontrol/demo.mobileconfig at main - microsoft/mdatp-devicecontrol (github.com). Make sure validate your policy with the JSON schema and make sure your policy format is correct: mdatp-devicecontrol/device_control_policy_schema.json at main - microsoft/mdatp-devicecontrol (github.com).
Note
See Device Control for macOS for information about settings, rules, and groups.
You can deploy the mobileconfig file through https://intune.microsoft.com/ > Devices > macOS:
- select 'Create profile'
- select 'Templates' and 'Custom'
:::image type="content" source="media/macos-device-control-intune-mobileconfig.png" alt-text="Shows the Microsoft Endpoint Manager macOS Device Control / Configuration settings page." lightbox="media/macos-device-control-intune-mobileconfig.png":::