JAMF 的设备控制策略示例Examples of device control policies for JAMF

适用于:Applies to:

想要体验 Microsoft Defender for Endpoint?Want to experience Microsoft Defender for Endpoint? 注册免费试用版。Sign up for a free trial.

重要

某些信息与预发布的产品有关,在商业发布之前可能有重大修改。Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft 对此处所提供的信息不作任何明示或默示的保证。Microsoft makes no warranties, express or implied, with respect to the information provided here.

本文档包含您可以为你自己的组织自定义的设备控制策略的示例。This document contains examples of device control policies that you can customize for your own organization. 如果你使用 JAMF 管理企业中的设备,则这些示例适用。These examples are applicable if you are using JAMF to manage devices in your enterprise.

限制访问所有可移动媒体Restrict access to all removable media

以下示例限制访问所有可移动媒体。The following example restricts access to all removable media. 请注意 none 在策略的顶层应用的权限,这意味着将禁止所有文件操作。Note the none permission that is applied at the top level of the policy, meaning that all file operations will be prohibited.

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> 
<plist version="1.0"> 
<dict> 
    <key>deviceControl</key> 
    <dict> 
        <key>removableMediaPolicy</key> 
        <dict> 
            <key>enforcementLevel</key> 
            <string>block</string> 
            <key>permission</key> 
            <array> 
                <string>none</string> 
            </array> 
        </dict> 
    </dict> 
</dict> 
</plist>

将所有可移动媒体设置为只读Set all removable media to be read-only

以下示例将所有可移动媒体配置为只读。The following example configures all removable media to be read-only. 请注意在策略的顶层应用的权限,这意味着将不允许执行所有 read 写入和执行操作。Note the read permission that is applied at the top level of the policy, meaning that all write and execute operations will be disallowed.

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> 
<plist version="1.0"> 
<dict> 
    <key>deviceControl</key> 
    <dict> 
        <key>removableMediaPolicy</key> 
        <dict> 
            <key>enforcementLevel</key> 
            <string>block</string> 
            <key>permission</key> 
            <array> 
                <string>read</string> 
            </array> 
        </dict> 
    </dict> 
</dict> 
</plist>

禁止从可移动媒体执行程序Disallow program execution from removable media

以下示例演示如何禁止从可移动媒体执行程序。The following example shows how program execution from removable media can be disallowed. 记下 read write 在策略的顶级应用的 和 权限。Note the read and write permissions that are applied at the top level of the policy.

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> 
<plist version="1.0"> 
<dict> 
    <key>deviceControl</key> 
    <dict> 
        <key>removableMediaPolicy</key> 
        <dict> 
            <key>enforcementLevel</key> 
            <string>block</string> 
            <key>permission</key> 
            <array> 
                <string>read</string>
                <string>write</string> 
            </array> 
        </dict> 
    </dict> 
</dict> 
</plist>

限制来自特定供应商的所有设备Restrict all devices from specific vendors

以下示例限制来自特定供应商的所有设备, (标识和 fff0 4525) 。The following example restricts all devices from specific vendors (in this case identified by fff0 and 4525). 所有其他设备将不受限制,因为策略顶级定义的权限列出了所有可能的权限 (读取、写入和执行) 。All other devices will be unrestricted, since the permission defined at the top level of the policy lists all possible permissions (read, write, and execute).

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> 
<plist version="1.0"> 
<dict> 
    <key>deviceControl</key> 
    <dict> 
        <key>removableMediaPolicy</key> 
        <dict> 
            <key>enforcementLevel</key> 
            <string>block</string> 
            <key>permission</key> 
            <array> 
                <string>read</string>
                <string>write</string>
                <string>execute</string> 
            </array> 
            <key>vendors</key> 
            <dict> 
                <key>fff0</key> 
                <dict> 
                    <key>permission</key> 
                    <array> 
                        <string>none</string> 
                    </array> 
                </dict> 
                <key>4525</key> 
                <dict> 
                    <key>permission</key> 
                    <array>                         
                        <string>none</string> 
                    </array> 
                </dict> 
            </dict> 
        </dict> 
    </dict> 
</dict> 
</plist> 

限制由供应商 ID、产品 ID 和序列号标识的特定设备Restrict specific devices identified by vendor ID, product ID, and serial number

以下示例限制由供应商 ID、产品 ID 和序列号标识的两个 fff0 1000 特定 04ZSSMHI2O7WBVOA 设备 04ZSSMHI2O7WBVOBThe following example restricts two specific devices, identified by vendor ID fff0, product ID 1000, and serial numbers 04ZSSMHI2O7WBVOA and 04ZSSMHI2O7WBVOB. 在策略的所有其他级别,权限包括所有可能的值 (读取、写入和执行) ,这意味着所有其他设备将不受限制。At all other levels of the policy the permissions include all possible values (read, write, and execute), meaning that all other devices will be unrestricted.

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> 
<plist version="1.0"> 
<dict> 
    <key>deviceControl</key> 
    <dict> 
        <key>removableMediaPolicy</key> 
        <dict> 
            <key>enforcementLevel</key> 
            <string>block</string> 
            <key>permission</key> 
            <array> 
                <string>read</string>
                <string>write</string>
                <string>execute</string>
            </array> 
            <key>vendors</key> 
            <dict> 
                <key>fff0</key> 
                <dict> 
                    <key>permission</key> 
                    <array> 
                        <string>read</string> 
                        <string>write</string>
                        <string>execute</string> 
                    </array> 
                    <key>products</key> 
                    <dict> 
                        <key>1000</key> 
                        <dict> 
                            <key>permission</key> 
                            <array> 
                                <string>read</string> 
                                <string>write</string>
                                <string>execute</string>
                            </array> 
                            <key>serialNumbers</key> 
                            <dict> 
                                <key>04ZSSMHI2O7WBVOA</key> 
                                <array> 
                                  <string>none</string> 
                                </array> 
                                <key>04ZSSMHI2O7WBVOB</key>
                                <array> 
                                  <string>none</string> 
                                </array> 
                            </dict> 
                        </dict> 
                    </dict> 
                </dict>
            </dict> 
        </dict> 
    </dict> 
</dict> 
</plist>