Getting Started
This guide will walk you through installing DeviceControlPolicy editor and creating your first policy.
- Download the latest release from the Releases page
- Open the downloaded
.zipfile - Drag DeviceControlPolicy to your Applications folder
- Launch the application from Applications or Spotlight
The application uses a three-pane layout common in macOS applications:
| Pane | Purpose |
|---|---|
| Sidebar (left) | Navigate between Policy sections (Groups, Rules, Settings) and Preview |
| List (center) | View and select items within the current section |
| Detail (right) | Edit the selected item's properties |
- Launch DeviceControlPolicy editor
- The app automatically creates a new empty policy document
- Alternatively, choose File > New (⌘N) to create a new policy
A new policy contains:
- One empty device group
- One empty rule
- Default settings
- Choose File > Open (⌘O)
- Navigate to your
.jsonpolicy file - Select the file and click Open
The application can open policy files created by:
- This application
- Microsoft's sample policies
- Any valid device control policy JSON file
The application uses macOS's auto-save feature:
- Changes are saved automatically as you work
- The document title shows "Edited" when there are unsaved changes
- Use File > Save (⌘S) to save immediately
- Use File > Save As to save a copy with a new name
Let's create a simple policy that blocks write access to removable media:
- Select New in from the File menu, or type Command+N
- Select Save in from the File menu, or type Command+S
- Name it "Block USB Storage" and save to the location of your choosing
- If not already selected, select Groups in the sidebar
- Click on the already created New Device Group in the list view
- The click into the Name field and name it "All Removable Media"
- In the Query section, set:
- Query Type: All (AND)
- Clause Type: Primary ID
- Value: Removable Media Devices
- Select Rules in the sidebar
- Click on the already created New Rule in the list view
- Name it "Block USB Write Access"
- Under Include Groups, add "All Removable Media"
- Expand the existing entry and change the values:
- Type: Removable Media
- Access: write
- Enforcement: Deny
- Select Settings in the sidebar
- Set Removable Media to Enabled
- Set Default Enforcement to Allow (so read access is still permitted)
- Choose File > Validate Policy (⇧⌘V) to verify your policy
- If valid, save your policy with File > Save (⌘S)
Warning
You can set a device control policy manually, only if it wasn't already set via MDM
- Launch the Terminal.app
- Use this command:
sudo mdatp config device-control policy set --path <full-path-to-policy.json> - After the policy is applied use this command to inspect:
sudo mdatp device-control policy preferences list - If you need to make changes, you can edit your policy file, reapply it, and see changes immediately
- Once you are satisfied, use this command to undo the policy:
sudo mdatp config device-control policy reset - Upload the verified configuration to your MDM of choice.
See this Microsoft page for more details about manual deployment:
https://learn.microsoft.com/en-us/defender-endpoint/mac-device-control-manual
- Working with Groups - Learn about device matching queries
- Working with Rules - Understand entries and enforcement options
- Settings - Configure feature toggles and global settings