Deny all removable media except APFS Encrypted devices

[RLNY88]

I’m currently facing a challenge with blocking all removable media, except for those that are encrypted. I’ve attempted to adjust the existing JSON example to include the Encryption Clause, but it seems to be ineffective. I would greatly appreciate any assistance or guidance on this matter. If anyone has a working example that I could reference, that would be extremely helpful as well. Thank you in advance for your time and support.

{ "groups": [ { "$type": "device", "id": "519a2e50-3bb7-49b7-9ae0-6feb415d58ca", "name": "All Removable Media Devices", "query": { "$type": "all", "clauses": [ { "$type": "primaryId", "value": "removable_media_devices" } ] } } ], "encryption": { "title": "Encryption Clause", "description": "Match if a device is encrypted. (Only supports Removable Media Devices)", "required": [ "$type", "value" ], "additionalProperties": true, "properties": { "$type": { "enum": [ "encryption" ] }, "value": { "enum": [ "apfs" ], "title": "Encryption Type", "examples": [ "apfs" ] }, "comments": { "type": "string" } }, "examples": [ { "$type": "encryption", "value": "apfs" } ] }, "rules": [ { "id": "69a4a010-acb1-4573-8a58-50cf4ee7bc7f", "name": "Deny WX to all Removable Media Devices", "includeGroups": [ "519a2e50-3bb7-49b7-9ae0-6feb415d58ca" ], "entries": [ { "comments": "Deny Write, and Execute.", "$type": "removableMedia", "id": "c7a13940-5c14-49f6-b0fb-b0978bf0f8cc", "enforcement": { "$type": "deny" }, "access": [ "write", "execute" ] }, { "__comments": "Show UX and send events for all blocked operations.", "$type": "removableMedia", "id": "ae5672a9-0746-41e7-8c21-63222f1aa304", "enforcement": { "$type": "auditDeny", "options": [ "send_event", "show_notification" ] }, "access": [ "read", "write", "execute" ] } ] } ], "settings": { "features": { "removableMedia": { "disable": false } }, "global": { "defaultEnforcement": "allow" }, "ux": { "navigationTarget": "http://www.microsoft.com" } } }