title: Deploy and manage device control using JAMF description: Learn how to use device control policies using JAMF. ms.service: defender-endpoint author: limwainstein ms.author: lwainstein ms.reviewer: joshbregman manager: bagol ms.localizationpriority: medium audience: ITPro ms.collection:
- m365-security
- tier3
- mde-macos
ms.topic: install-set-up-deploy
ms.subservice: macos
search.appverid: met150
ms.date: 04/16/2025
appliesto:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender for Business
Device control in Microsoft Defender for Endpoint on macOS enables you to audit, allow, or prevent the read, write, or execute access to removable storage. Device control also allows you to manage iOS and portable devices and Bluetooth media, with or without exclusions.
Before you begin, confirm your subscription. To access and use device control, your subscription must include Defender for Endpoint Plan 1. For more information, see the following resources:
- Microsoft 365 Enterprise plans comparison table
- Understand subscriptions and licenses in Microsoft 365 for business
[!INCLUDE Microsoft Defender for Endpoint third-party tool support]
Device Control on macOS is defined through a JSON policy. This policy should have the appropriate groups, rules, and settings defined to tailor specific customer conditions. For example, some enterprise organizations might need to block all removable media devices entirely, while others might have specific exceptions for a vendor or serial number. Microsoft has a local GitHub repository that you can use to build your policies.
For more information about settings, rules, and groups, see Device Control for macOS.
You must validate your JSON policy after it's created to ensure there are no syntax or configuration errors. A schema for device control policies is available in our GitHub repository. The Defender for Endpoint application has built-in functionality to compare your JSON to the defined schema.
-
Save your configuration on a local device as a
.jsonfile. -
Ensure you have access to
mdatpcommands. If your device is already onboarded, then you should have this functionality. -
Run
mdatp device-control policy validate --path <pathtojson>.
The Defender for Endpoint preferences schema includes the new deviceControl/policy key. The existing Defender for Endpoint preferences configuration profile should be updated to use the new schema file's content.
:::image type="content" source="media/macos-device-control-jamf-mde-preferences-schema.png" alt-text="Shows where to edit the Microsoft Defender for Endpoint Preferences Schema to update." lightbox="media/macos-device-control-jamf-mde-preferences-schema.png":::
A new device control property is now available to add to the user experience.
-
In your Jamf console, select Add/Remove properties, select Device Control, and then select Apply.
:::image type="content" source="media/macos-device-control-jamf-device-control-property.png" alt-text="Shows how to add Device Control in Microsoft Defender for Endpoint" lightbox="media/macos-device-control-jamf-device-control-property.png":::
-
Scroll down until you see the Device Control property (it's at the bottom of the list), and then select Add/Remove properties.
-
Select Device Control Policy, and then select Apply.
:::image type="content" source="media/macos-device-control-jamf-device-control-add-remove-property.png" alt-text="Shows how to apply Device Control Policy in Microsoft Defender for Endpoint." lightbox="media/macos-device-control-jamf-device-control-add-remove-property.png":::
-
Copy and paste your device control policy JSON into the text box.
:::image type="content" source="media/macos-device-control-jamf-device-control-policy-json.png" alt-text="Shows where to add the Device Control policy JSON in Microsoft Defender for Endpoint." lightbox="media/macos-device-control-jamf-device-control-policy-json.png":::
-
Save your changes.