macOS: Added ready-to-deploy example mobileconfig file to block all removable storage devices using Device Control on Microsoft Defender

.gitignore

@@ -363,3 +363,5 @@ python/dist
 *.egg-info
 metadata.json
 kql
+.DS_Store
+Misc/.DS_Store

macOS/README.md

@@ -1,14 +1,14 @@
 # Device Control for macOS
-
 Resources for Device Control for macOS.
 
-## Policy
-
-Information about device control [policies](policy/README.md) including samples and schemas.
+## Img
+Screenshots and images, that have been added to "README.md" -files.
 
 ## Mobileconfig
-
 Examples of the [mobileconfig](mobileconfig/README.md) used to deploy policies on Intune.
 
 Learn More
-- [Deploy and manage Device Control using Intune](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-device-control-intune?view=o365-worldwide)
+- [Deploy and manage Device Control using Intune](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-device-control-intune?view=o365-worldwide)
+
+## Policy
+Information about device control [policies](policy/README.md) including samples and schemas.

macOS/mobileconfig/Microsoft Defender - Device Control - Block All Removable Storage Devices.mobileconfig

@@ -0,0 +1,132 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1">
+    <dict>
+        <key>PayloadUUID</key>
+        <string>F8E3933F-A0AC-4412-B724-C35A4A624820</string>
+        <key>PayloadType</key>
+        <string>Configuration</string>
+        <key>PayloadOrganization</key>
+        <string>Microsoft Corporation</string>
+        <key>PayloadIdentifier</key>
+        <string>com.microsoft.wdav</string>
+        <key>PayloadDisplayName</key>
+        <string>Microsoft Defender - Device Control: Block All Removable Storage Devices</string>
+        <key>PayloadDescription</key>
+        <string>Blocks all removable storage devices using Device Control from Microsoft Defender</string>
+        <key>PayloadVersion</key>
+        <integer>1</integer>
+        <key>PayloadEnabled</key>
+        <true/>
+        <key>PayloadRemovalDisallowed</key>
+        <true/>
+        <key>PayloadScope</key>
+        <string>System</string>
+        <key>PayloadContent</key>
+        <array>
+            <dict>
+                <key>PayloadUUID</key>
+                <string>FE0AD77D-5C66-43F9-AFF2-12B18453A81B</string>
+                <key>PayloadType</key>
+                <string>com.microsoft.wdav</string>
+                <key>PayloadOrganization</key>
+                <string>Microsoft Corporation</string>
+                <key>PayloadIdentifier</key>
+                <string>com.microsoft.wdav</string>
+                <key>PayloadDisplayName</key>
+                <string>Microsoft Defender - Device Control: Block All Removable Storage Devices</string>
+                <key>PayloadDescription</key>
+                <string>Blocks all removable storage devices using Device Control from Microsoft Defender</string>
+                <key>PayloadVersion</key>
+                <integer>1</integer>
+                <key>PayloadEnabled</key>
+                <true/>
+                <key>dlp</key>
+                <dict>
+                  <key>features</key>
+                    <array>
+                        <dict>
+                            <key>name</key>
+                            <string>DC_in_dlp</string>
+                            <key>state</key>
+                            <string>enabled</string>
+                        </dict>
+                    </array>
+                </dict>
+                <key>deviceControl</key>
+                <dict>
+                    <key>policy</key>
+                    <string>
+{
+  "groups": [
+    {
+      "$type": "device",
+      "id": "cf4769ca-4553-4771-8cf7-f32063af02ed",
+      "name": "Block All Removable Storage Devices",
+      "query": {
+        "$type": "and",
+        "clauses": [
+          {
+            "$type": "primaryId",
+            "value": "removable_media_devices"
+          }
+        ]
+      }
+    }
+  ],
+  "rules": [
+    {
+      "id": "f34eb107-a01d-46a1-9c9b-3dcb6d3fcd14",
+      "name": "Block All Removable Storage Devices",
+      "includeGroups": [
+        "cf4769ca-4553-4771-8cf7-f32063af02ed"
+      ],
+      "entries": [
+        {
+          "$type": "removableMedia",
+          "id": "773215a8-3409-475d-862a-07f2b7df4042",
+          "enforcement": {
+            "$type": "deny"
+          },
+          "access": [
+            "read",
+            "write",
+            "execute"
+          ]
+        },
+        {
+          "$type": "removableMedia",
+          "id": "d6fdb6d6-b147-4f35-826a-849a2d69326f",
+          "enforcement": {
+            "$type": "auditDeny",
+            "options": [
+              "send_event",
+              "show_notification"
+            ]
+          },
+          "access": [
+            "read",
+            "write",
+            "execute"
+          ]
+        }
+      ]
+    }
+  ],
+  "settings": {
+    "features": {
+      "removableMedia": {
+        "disable": false
+      }
+    },
+    "ux": {
+      "navigationTarget": "https://helpdesk.example.com/"
+    }
+  }
+}
+                    </string>
+                </dict>
+            </dict>
+        </array>
+    </dict>
+</plist>

macOS/mobileconfig/README.md

@@ -1,5 +1,26 @@
 # Device Control for macOS Deployment
 
+In this page, we have gathered some example device control policies for macOS.
+
+## Microsoft Defender - Device Control - Block All Removable Storage Devices.mobileconfig
+
+Ready-to-deploy example mobileconfig file to block all removable storage devices using Device Control on Microsoft Defender. This policy is following version 2 schema. This policy also enables Data Loss Prevention (DLP), that is required to device control to operate.
+
+### Before deploying this policy, please do following ones
+1. Remove placeholder URL from line 123 and add appropriate URL instead. Good example is address to your local IT Helpdesk website from your company, where employees can contact if they need more information of applied restriction.
+2. Make sure, that Microsoft Defender have full disk access. [More information can be found here how that can be done](https://learn.microsoft.com/en-us/defender-endpoint/mac-device-control-overview).
+
+> [!IMPORTANT] 
+> If you have already deployed all needed policies (as ".mobileconfig" file format) to Microsoft Defender, like full disk access, via MDM, please make sure, that you have up-to-date mobileconfig policy files applied so Device Control feature will work appropriately.
+>
+>For example, easiest way to do the update mobileconfig policy file of full disk access is to upload available mobileconfig policy file to existing policy, that will replace older mobileconfig policy file with newer one. 
+>
+> Check latest mobileconfig policy files [here](https://learn.microsoft.com/en-us/defender-endpoint/mac-install-with-intune).
+
+### Screenshot exapmple of the deployment via Intune
+
+![Screenshot example](../img/screenshot-of-device-control-policy-deployment-on-intune.png)
+
 ## demo.mobileconfig
 
 An example mobileconfig file demonstrating how to deploy a DC policy.
@@ -39,4 +60,4 @@ The v2 Device Control policy is now set via the `deviceControl/policy` key.  The
 
 ## schema.json
 
-The [mdatp-xplat](https://github.com/microsoft/mdatp-xplat) repo's [schema.json](https://github.com/microsoft/mdatp-xplat/blob/master/macos/schema/schema.json) has been updated to expose both the `deviceControl/policy` and `dlp/features` configurations.
+The [mdatp-xplat](https://github.com/microsoft/mdatp-xplat) repo's [schema.json](https://github.com/microsoft/mdatp-xplat/blob/master/macos/schema/schema.json) has been updated to expose both the `deviceControl/policy` and `dlp/features` configurations.