search

microsoft / mdatp-devicecontrol

Microsoft Defender for Endpoint Device Control tools, samples, and resources.
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-control-removable-storage-protection?view=o365-worldwide
MIT License
43 stars 36 forks source link

JSON Policy Examples needed for group to represent multiple removable media device serial numbers #46

Open jbutleru47 opened 2 months ago

jbutleru47 commented 2 months ago

Though the examples so far are great for one-offs, a real-world example is needed for a JSON policy for device control that represents a group listing multiple serial numbers. As such a list would be updated frequently to add more serial numbers for approved devices, it would be optimum to have an example to follow as building a working JSON is complex. I have contacted Microsoft support and they were unwilling to help as it was not a break/fix situation, thus looking to here to assistance that I'm sure will help others.

jbutleru47 commented 2 months ago

The above issue is for macOS.

j0shbregman commented 2 months ago

@jbutleru47 I love the idea of creating an end to end example. My questions are:

jbutleru47 commented 2 months ago

@j0shbregman Thanks for the reply. For devices on the "approved list" (based on serial number) they have full RWX permissions, everything else (not on the approved list) does not have any RWX permissions.

jbutleru47 commented 1 month ago

Here's an example of a DC JSON for an approved list of Multiple Serial Numbers for removable devices:

{ "groups": [ { "$type": "device", "id": "04B91BD0-0806-458E-837C-CA3B919605AF", "name": "All Removable Media Devices", "query": { "$type": "all", "clauses": [ { "$type": "primaryId", "value": "removable_media_devices" } ] } }, { "$type": "device", "id": "1F4E9407-2CD3-4E4D-9DF3-210BA488761E", "name": "Exclude Approved Serial Numbers", "query": { "$type": "and", "clauses": [ { "$type": "primaryId", "value": "removable_media_devices" }, { "$type": "or", "clauses": [ { "$type": "serialNumber", "value": "60A44C413841F160799200C9" }, { "$type": "serialNumber", "value": "NAC36Q6M" } ] } ] } } ], "rules": [ { "id": "33AC33F1-CCCE-4452-B874-E9F6C6580FBB", "name": "Deny RWX to all Removable Media Devices except approved serial numbers", "includeGroups": [ "04B91BD0-0806-458E-837C-CA3B919605AF" ], "excludeGroups": [ "1F4E9407-2CD3-4E4D-9DF3-210BA488761E" ], "entries": [ { "$type": "removableMedia", "id": "AEA40A77-9C16-4DC5-945D-704F2BDE9550", "enforcement": { "$type": "deny" }, "access": [ "read", "write", "execute" ] }, { "$type": "removableMedia", "id": "495A6B6C-F0C8-4B5B-B2F7-AF5B173092DA", "enforcement": { "$type": "auditDeny", "options": [ "send_event", "show_notification" ] }, "access": [ "read", "write", "execute" ] } ] } ], "settings": { "features": { "removableMedia": { "disable": false } }, "global": { "defaultEnforcement": "allow" }, "ux": { "navigationTarget": "https://www.microsoft.com" } } }