acrolinx edits

Author: emmwalshh

defender-endpoint/mac-device-control-faq.md

@@ -40,7 +40,7 @@ Answer: Run _mdatp device-control policy preferences list_ to see all the iOS po
 
 :::image type="content" source="media/macos-device-control-faq-enabled-default-enforcement.png" alt-text="Shows how to run mdatp device-control policy preferences list to see if a device is Device Control enabled. " lightbox="media/macos-device-control-faq-enabled-default-enforcement.png":::
 
-### How do I know whether the policy has been delivered to the client machine?
+### How do I know if the policy is delivered to the client machine?
 
 Answer: Run _mdatp device-control policy rules list_ to see all the iOS policies on this machine:
 

defender-endpoint/mac-device-control-intune.md

@@ -45,7 +45,7 @@ Before you get started with Removable Storage Access Control, you must confirm y
 Now, you have `groups`, `rules`, and `settings`, replace the mobileconfig file with those values and put it under the Device Control node. Here's the demo file: [mdatp-devicecontrol/demo.mobileconfig at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/mobileconfig/demo.mobileconfig). Make sure validate your policy with the JSON schema and make sure your policy format is correct: [mdatp-devicecontrol/device_control_policy_schema.json at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json).
 
 > [!NOTE]
-> See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules and groups.
+> See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules, and groups.
 
 ### Deploy the mobileconfig file using Intune
 

defender-endpoint/mac-device-control-jamf.md

@@ -43,27 +43,27 @@ Before you get started with Removable Storage Access Control, you must confirm y
 
 ### Step 1: Create policy JSON
 
-Now, you have 'groups' and 'rules' and 'settings', combine 'settings' and 'groups' and rules into one JSON, here is the demo file: [https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.json](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.json). Make sure to validate your policy with the JSON schema so your policy format is correct: [https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json).
+Now, you have 'groups' and 'rules' and 'settings', combine 'settings' and 'groups' and rules into one JSON, here's the demo file: [https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.json](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.json). Make sure to validate your policy with the JSON schema so your policy format is correct: [https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json).
 
-See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules and groups.
+See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules, and groups.
 
 ### Step 2: Update MDE Preferences Schema
 
-The [MDE Preferences schema](https://github.com/microsoft/mdatp-xplat/blob/master/macos/schema/schema.json) has been updated to include the new `deviceControl/policy` key. The existing MDE Preferences configuration profile should be updated to use the new schema file's content.
+The [MDE Preferences schema](https://github.com/microsoft/mdatp-xplat/blob/master/macos/schema/schema.json) is updated to include the new `deviceControl/policy` key. The existing MDE Preferences configuration profile should be updated to use the new schema file's content.
 
 :::image type="content" source="media/macos-device-control-jamf-mde-preferences-schema.png" alt-text="Shows where to edit the Microsoft Defender for Endpoint Preferences Schema to update." lightbox="media/macos-device-control-jamf-mde-preferences-schema.png":::
 
 ### Step 3: Add Device Control Policy to MDE Preferences
 
-A new 'Device Control' property will now be available to add to the UX.  
+A new 'Device Control' property is now available to add to the UX.  
 
 1. Select the topmost **Add/Remove properties** button, then select **Device Control** and press **Apply**.
 
 :::image type="content" source="media/macos-device-control-jamf-device-control-property.png" alt-text="Shows how to add Device Control in Microsoft Defender for Endpoint" lightbox="media/macos-device-control-jamf-device-control-property.png":::
 
-2. Next, scroll down until you see the **Device Control** property (it will be the bottommost entry), and select **Add/Remove properties** directly underneath it.
+2. Next, scroll down until you see the **Device Control** property (it's the bottommost entry), and select **Add/Remove properties** directly underneath it.
 
-3. Select **Device Control Policy**, and then click **Apply**.  
+3. Select **Device Control Policy**, and then select **Apply**.  
 
 :::image type="content" source="media/macos-device-control-jamf-device-control-add-remove-property.png" alt-text="Shows how to apply Device Control Policy in Microsoft Defender for Endpoint." lightbox="media/macos-device-control-jamf-device-control-add-remove-property.png":::
 

defender-endpoint/mac-device-control-overview.md

@@ -52,7 +52,7 @@ Microsoft Defender for Endpoint Device Control feature enables you to:
 
 - Microsoft Defender for Endpoint entitlement (can be trial)
 - Minimum OS version: macOS 11 or higher
-- Deploy Full Disk Access: you may already have previously created and deployed this [https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) for other MDE features. You need to grant Full Disk Access permission for a new application: `com.microsoft.dlp.daemon`.
+- Deploy Full Disk Access: you might have created and deployed this [https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) for other MDE features. You need to grant Full Disk Access permission for a new application: `com.microsoft.dlp.daemon`.
 - Enable Device Control on the MDE Preference setting:
 
   - Data Loss Prevention (DLP)/Features/
@@ -90,7 +90,7 @@ Example 2: [demo.mobileconfig](https://github.com/microsoft/mdatp-devicecontrol/
 
 ## Understanding policies
 
-Policies determine the behavior of device control for macOS.  The policy is targeted via Intune or JAMF to a collection of machines or users.  
+Policies determine the behavior of device control for macOS. The policy is targeted via Intune or JAMF to a collection of machines or users.  
 
 The Device Control for macOS policy includes settings, groups, and rules:
 
@@ -112,9 +112,9 @@ The Device Control for macOS policy includes settings, groups, and rules:
 
 Device control for macOS has similar capabilities to Device control for Windows, but macOS and Windows provide different underlying capabilities to manage devices, so there are some important differences:
 
-- macOS doesn't have a centralized Device Manager or view of devices. Access is granted/denied to applications that interact with devices.  This is why on macOS there are a richer set of [access types](#access-types).  For example on a ```portableDevice``` device control for macOS can deny or allow ```download_photos_from_device```.
-- To stay consistent with Windows, there are ```generic_read```,```generic_write``` and ```generic_execute``` access types.  Policies with generic access types don't need to be changed if/when more specific access types are added in the future.  The best practice is to use generic access types unless there's a specific need to deny/allow a more specific operation.
-- Creating a ```deny``` policy using generic access types is the best way to attempt to completely block all operations for that type of device (for example, Android phones), but there may still be gaps if the operation is performed using an application that isn't supported by macOS device control.     
+- macOS doesn't have a centralized Device Manager or view of devices. Access is granted/denied to applications that interact with devices. This is why on macOS there are a richer set of [access types](#access-types). For example of a ```portableDevice``` device control for macOS can deny or allow ```download_photos_from_device```.
+- To stay consistent with Windows, there are ```generic_read```,```generic_write``` ,and ```generic_execute``` access types. Policies with generic access types don't need to be changed if/when more specific access types are added in the future. The best practice is to use generic access types unless there's a specific need to deny/allow a more specific operation.
+- Creating a ```deny``` policy using generic access types is the best way to attempt to completely block all operations for that type of device (for example, Android phones), but there might still be gaps if the operation is performed using an application that isn't supported by macOS device control.     
 
 
 ### Settings
@@ -123,7 +123,7 @@ Here are the properties you can use when you create the groups, rules, and setti
 
 | Property name | Description | Options |
 |:---|:---|:---|
-| features | Feature specific configurations | You can set `disable` to false or true for following features: <br/>- `removableMedia`<br/>- `appleDevice`<br/>- `portableDevice`, including camera or PTP media<br/>- `bluetoothDevice`<br/><br/>The default is `true`, so if you don't configure this value, it will not apply even if you create a custom policy for `removableMedia`, because it's disabled by default. |
+| features | Feature specific configurations | You can set `disable` to false or true for following features: <br/>- `removableMedia`<br/>- `appleDevice`<br/>- `portableDevice`, including camera or PTP media<br/>- `bluetoothDevice`<br/><br/>The default is `true`, so if you don't configure this value, it won't apply even if you create a custom policy for `removableMedia`, because it's disabled by default. |
 | global | Set default enforcement  | You can set `defaultEnforcement` to<br/>- `allow` (_default_)<br/>- `deny` |
 | ux | You can set a hyperlink on notification. | `navigationTarget: string`. Example: `"http://www.microsoft.com"` |
 
@@ -190,7 +190,7 @@ The following table lists the properties you can use in your entry:
 |:---|:---|:---|
 | `$type` | | Includes: <br/>- `removableMedia`<br/>- `appleDevice`<br/>- `PortableDevice`<br/>- `bluetoothDevice`<br/>- `generic` |
 | enforcement | | - `$type`:<br/>- `allow`<br/>- `deny`<br/>- `auditAllow`<br/>- `auditDeny`<br/><br/>**When $type allow is selected, options value supports:** <br/>- `disable_audit_allow`<br/> Even if **Allow** happens and the **auditAllow** is setting configured, the system won't send event.<br/><br/>**When $type deny is selected, options value supports:** <br/>`disable_audit_deny`<br/>Even if **Block** happens and the **auditDeny** is setting configured, the system won't show notification or send event.<br/><br/>**When $type auditAllow is selected, options value supports:** <br/>`send_event`<br/><br/>**When $type auditDeny is selected, options value supports:** <br/>`send_event`<br/>`show_notification` |
-| `access`| |Specify one or more access rights for this rule. These may include either device specific granular permissions, or broader generic permissions. See table below for more details on the valid access types for a given entry $type. |
+| `access`| |Specify one or more access rights for this rule. These might include either device specific granular permissions, or broader generic permissions. See table below for more details on the valid access types for a given entry $type. |
 | `id`| UUID| |
 
 The following table lists the properties you can use in entry:
@@ -259,7 +259,7 @@ v2_full_disk_access                         : "approved"
 - `active` - feature version, you should see ["v2"]. (Device Control is enabled, but not configured.)
     - [] - Device Control isn't configured on this machine.
     - ["v1"] - You are on a preview version of Device Control. Migrate to version 2 using this guide. v1 is considered obsolete and not described in this documentation.
-    - ["v1","v2"] - You have both v1 and v2 enabled. Offboard from v1.
+    - ["v1,""v2"] - You have both v1 and v2 enabled. Offboard from v1.
 - `v1_configured` - v1 configuration is applied
 - `v1_enforcement_level` - when v1 is enabled
 - `v2_configured` - v2 configuration is applied
@@ -473,7 +473,7 @@ In this case, only have one access rule policy, but if you have multiple, make s
 ## Known Issues
 
 > [!WARNING]
-> Device Control on macOS restricts Android devices that are connected using PTP mode **only**.  Device control doesn't restrict other modes such as File Transfer, USB Tethering and MIDI.
+> Device Control on macOS restricts Android devices that are connected using PTP mode **only**.  Device control doesn't restrict other modes such as File Transfer, USB Tethering, and MIDI.
 
 > [!WARNING]
 > Device Control on macOS doesn't prevent software developed on XCode from being transferred to an external device.

defender-endpoint/mac-exclusions.md

@@ -41,7 +41,7 @@ Exclusions can be useful to avoid incorrect detections on files or software that
 To narrow down which process and/or path and/or extension you need to exclude, use [real-time-protection-statistics](mac-support-perf.md).
 
 > [!WARNING]
-> Defining exclusions lowers the protection offered by Defender for Endpoint on Mac. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
+> Defining exclusions lowers the protection offered by Defender for Endpoint on Mac. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you're confident aren't malicious.
 
 ## Supported exclusion types
 
@@ -62,9 +62,9 @@ File, folder, and process exclusions support the following wildcards:
 |?|Matches any single character|`file?.log` includes `file1.log` and `file2.log`, but not `file123.log`|
 
 > [!NOTE]
-> When using the * wildcard at the end of the path, it will match all files and subdirectories under the parent of the wildcard.
+> Using the * wildcard at the end of the path, it matches all files and subdirectories under the parent of the wildcard.
 >
-> The product attempts to resolve firmlinks when evaluating exclusions. Firmlink resolution does not work when the exclusion contains wildcards or the target file (on the `Data` volume) does not exist.
+> The product attempts to resolve firm links when evaluating exclusions. Firm link resolution doesn't work when the exclusion contains wildcards or the target file (on the `Data` volume) doesn't exist.
 
 ## Best practices for adding antimalware exclusions for Microsoft Defender for Endpoint on macOS.
 
@@ -74,7 +74,7 @@ File, folder, and process exclusions support the following wildcards:
 
    *except for apps that the ISV stated that there's no other tweaking that could be done to prevent the false positive or higher cpu utilization from occurring.
 
-1. Avoid migrating non-Microsoft antimalware exclusions since they may no longer be applicable nor applicable to Microsoft Defender for Endpoint on macOS.
+1. Avoid migrating non-Microsoft antimalware exclusions since they might no longer be applicable nor applicable to Microsoft Defender for Endpoint on macOS.
 
 1. Order of exclusions to consider top (more secure) to bottom (least secure):