Microsoft Defender for Endpoint on Mac USB storage device control is in general availability as of July 2021.
In line with our commitment to rapidly expand Microsoft Defender for Endpoint cross-platform capabilities, we are preparing a set of enhancements to further reduce organizational exposure attributed to common end user activities. Today we are thrilled to announce the public preview of USB storage device control for Mac!
Preventing threats and securing your organization takes a multi-layered approach. Many users will plug in USB removable storage devices without considering their potential security risk. Enabling removable device control policies reduces the attack surface on user’s machines and protects organizations against malware and data loss in these scenarios.
What level of USB device control comes with this new capability?
USB storage device control for Mac is designed to regulate the level of access given to external USB storage devices (including SD cards). The access level is controlled through custom policies.
The USB device control policy is hierarchical. At the top of the hierarchy are vendors. For each vendor, there are products. Finally, for each product there are serial numbers denoting specific USB devices.
The policy is evaluated from the most specific entry to the most general one. When a USB device does not match any of the nested entries, the access level for this device defaults to the top-level permission.
|-- policy top level
|-- vendor 1
|-- product 1
|-- serial number 1
|-- serial number N
|-- product N
|-- vendor N
In cases when the USB device control policy restricts Mac end user actions, a notification appears informing the end user about the restriction imposed by the organization:
Security teams have visibility into instances of restricted actions involving USB storage devices in the Microsoft Defender Security Center:
USB device control events can also be explored using advanced hunting queries. For example:
| where ActionType == "UsbDriveMount" or ActionType == "UsbDriveUnmount" or ActionType == "UsbDriveDriveLetterChanged"
| where DeviceId == "<device ID>"
What are the available options to deploy USB storage device control policies for Mac?
USB device control policies can be deployed using , Intune, and manual deployment. For more information, read the Mac USB storage device control documentation for detailed guidance on policy deployment (including examples of USB device control configurations).
What are the preview prerequisites for USB storage device control for Mac?
To experience the USB storage device control for Mac capability in public preview, you’ll need to have preview features turned on in the Microsoft Defender Security Center. If you have not yet opted into previews, we encourage you to turn on preview features in the Microsoft Defender Security Center today.
Ensure the following requirements are fulfilled:
For more information, see the Mac USB device control documentation for additional details on setting and checking the aforementioned prerequisites on participating devices.
We welcome your feedback and look forward to hearing from you!
You can submit feedback by opening Microsoft Defender for Endpoint application on your Mac device and navigating to Help > Send feedback. Another option is to submit feedback via the Microsoft Defender Security Center.
Monitor the What's new in Microsoft Defender for Endpoint on Mac page for upcoming announcements (including general availability of Mac USB storage device control).
If you’re not yet taking advantage of Microsoft’s industry leading optics and detection capabilities, sign up for free trial of Microsoft Defender for Endpoint today.
Microsoft Defender for Endpoint team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.