title: Deploy and manage device control manually description: Learn how to use device control policies manually. ms.service: defender-endpoint author: limwainstein ms.author: lwainstein ms.reviewer: joshbregman manager: bagol ms.localizationpriority: medium audience: ITPro ms.collection:
- m365-security
- tier3
- mde-macos
ms.topic: install-set-up-deploy
ms.subservice: macos
search.appverid: met150
ms.date: 05/08/2025
appliesto:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender for Business
Microsoft Defender for Endpoint Device Control feature enables you to audit, allow, or prevent the read, write, or execute access to removable storage, and allows you to manage iOS and Portable device and Bluetooth media with or without exclusions.
Before you get started with Removable Storage Access Control, you must confirm your Microsoft 365 subscription. To access and use Removable Storage Access Control, you must have Microsoft 365 E3.
[!INCLUDE Microsoft Defender for Endpoint third-party tool support]
This method is recommended for preproduction environments only. It's available starting with version 101.23082.0018. You can create a policy JSON and try it on a single machine before deploying it via MDM to all users. Microsoft recommends using MDM for production environment.
You can set a policy manually, only if it wasn't set via MDM (as a managed configuration).
Now, you have groups, rules, settings, combine them into one JSON. Here's the demo file: mdatp-devicecontrol/deny_removable_media_except_kingston.json at main - microsoft/mdatp-devicecontrol (github.com). Make sure to validate your policy with the JSON schema so your policy format is correct: mdatp-devicecontrol/device_control_policy_schema.json at main - microsoft/mdatp-devicecontrol (github.com).
See Device Control for macOS for information about settings, rules, and groups.
Use mdatp config device-control policy set --path <full-path-to-policy.json> to apply the policy.
You can now try protected operations, or use usual mdatp device-control commands to inspect the effective policy.
> mdatp device-control policy preferences list
.Preferences
|-o UX
| |-o Navigation Target: "https://www.microsoft.com"
|-o Features
| |-o Removable Media
| |-o Disable: false
|-o Global
|-o Default Enforcement: "allow"
You can edit your policy file, reapply it, and see changes immediately.
To clear the policy, use mdatp config device-control policy reset.