Mac updates: Control your USB devices with Microsoft Defender for Endpoint on Mac!

by | Mar 22, 2021 | Technology | 0 comments

This article is contributed. See the original author and article here.

In line with our commitment to rapidly expand Microsoft Defender for Endpoint cross-platform capabilities, we are preparing a set of enhancements to further reduce organizational exposure attributed to common end user activities. Today we are thrilled to announce the public preview of USB storage device control for Mac!


 


Preventing threats and securing your organization takes a multi-layered approach. Many users will plug in USB removable storage devices without considering their potential security risk. Enabling removable device control policies reduces the attack surface on user’s machines and protects organizations against malware and data loss in these scenarios.


 


 


What level of USB device control comes with this new capability?


 


USB storage device control for Mac is designed to regulate the level of access given to external USB storage devices (including SD cards). The access level is controlled through custom policies.


 



  • The capability supports Audit and Block enforcement levels.

  • USB device access can be set to Read, Write, Execute, No access.

  • To achieve a high degree of granularity, USB access level can be specified for Product ID, Vendor ID, and Serial Number.

  • The custom policy allows customization of the URL where user is redirected to when interacting with an end user facing “device restricted” notification.


 


The USB device control policy is hierarchical. At the top of the hierarchy are vendors. For each vendor, there are products. Finally, for each product there are serial numbers denoting specific USB devices.


The policy is evaluated from the most specific entry to the most general one. When a USB device does not match any of the nested entries, the access level for this device defaults to the top-level permission.


 


|– policy top level


  |– vendor 1


     |– product 1


       |– serial number 1


        …


        |– serial number N


      …


     |– product N


  …


  |– vendor N


 


 


In cases when the USB device control policy restricts Mac end user actions, a notification appears informing the end user about the restriction imposed by the organization:


 


Screen Shot 2021-02-09 at 12.18.35 PM (2).png


 


 


Security teams have visibility into instances of restricted actions involving USB storage devices in the Microsoft Defender Security Center:


 


Portal.png


 


 


USB device control events can also be explored using advanced hunting queries. For example:


DeviceEvents


    | where ActionType == “UsbDriveMount” or ActionType == “UsbDriveUnmount” or ActionType == “UsbDriveDriveLetterChanged”


    | where DeviceId == “<device ID>”


 


 


What are the available options to deploy USB storage device control policies for Mac?


 


USB device control policies can be deployed using , Intune, and manual deployment. For more information, read the Mac USB storage device control documentation [LINK] for detailed guidance on policy deployment (including examples of USB device control configurations).


 


 


 


What are the preview prerequisites for USB storage device control for Mac?


 


To experience the USB storage device control for Mac capability in public preview, you’ll need to have preview features turned on in the Microsoft Defender Security Center. If you have not yet opted into previews, we encourage you to turn on preview features in the Microsoft Defender Security Center today.


 


Ensure the following requirements are fulfilled:



  • This new capability is supported on devices running macOS Catalina 10.15.4+

  • Participating devices must be running with system extensions (this is the default on macOS 11 Big Sur)

  • Participating devices must be registered for the InsiderFast Microsoft AutoUpdate channel

  • Minimum client version for Microsoft Defender for Endpoint for this capability is 101.24.59


 


For more information, see the Mac USB device control documentation for additional details on setting and checking the aforementioned prerequisites on participating devices.


 


 


 


We welcome your feedback and look forward to hearing from you!


You can submit feedback by opening Microsoft Defender for Endpoint application on your Mac device and navigating to Help > Send feedback. Another option is to submit feedback via the Microsoft Defender Security Center.


 


Monitor the What’s new in Microsoft Defender for Endpoint on Mac page for upcoming announcements (including general availability of Mac USB storage device control). 


 


If you’re not yet taking advantage of Microsoft’s industry leading optics and detection capabilities, sign up for free trial of Microsoft Defender for Endpoint today. 


 


 


Microsoft Defender for Endpoint team

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

Submit a Comment