JSON Preview and Validation
Device Control Policy Editor provides tools to preview the generated JSON and validate your policy against Microsoft's schema.
The JSON Preview feature shows the complete policy document as it will be saved to the file.
- Select JSON Preview in the sidebar (under the Preview section)
- Click Full Policy JSON in the list
- The complete JSON is displayed in the detail pane
- Real-time updates - The preview updates automatically as you make changes
- Pretty-printed format - JSON is formatted with indentation for readability
- Sorted keys - Properties are sorted alphabetically for consistency
- Syntax highlighting - Monospace font for easy reading
- Text selection - Select and copy portions of the JSON
- Scrollable view - Horizontal and vertical scrolling for large policies
To copy the entire policy JSON to your clipboard:
- Navigate to the JSON Preview
- Click the Copy JSON button in the toolbar
The button changes to "Copied!" briefly to confirm the action.
- Review before saving - Verify the structure before saving
- Share with colleagues - Copy and paste into documentation or emails
- Manual deployment - Copy JSON for direct MDM configuration
- Troubleshooting - Examine the exact JSON structure for debugging
The validation feature checks your policy against Microsoft's device control policy schema, catching errors that the visual editor might not prevent.
- Open a policy document
- Choose File > Validate Policy... from the menu, or
- Press ⇧⌘V (Shift-Command-V)
If your policy is valid, you'll see a confirmation:
If issues are found, you'll see a list of validation errors:
Each error shows:
-
Path - The JSON path to the problematic element (e.g.,
/groups/0/query) - Message - A description of what's wrong
The validator verifies:
- Required fields are present (
groups,rules,settings) - Arrays have minimum required items
- Object properties have correct types
- All ID fields contain valid UUID format
- Pattern:
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
- Must be exactly 4 hexadecimal digits
- Pattern:
0000toFFFF
- Query types are valid (
all,any,not) - Binary queries have
clausesarray - Unary queries have nested
query - Clauses have required
$typeandvaluefields
- Entry types match schema (
appleDevice,removableMedia, etc.) - Access values are valid for the entry type
- Enforcement type is valid (
allow,deny,auditAllow,auditDeny) - Audit enforcement types have required
optionsarray
- Primary ID values are valid device categories
- Encryption value is valid (
apfs) - Default enforcement is
allowordeny
| Error | Cause | Solution |
|---|---|---|
| "Invalid UUID format" | UUID doesn't match required pattern | Click Generate New to create a valid UUID |
| "must be a 4-digit hexadecimal string" | Vendor/Product ID wrong length | Enter exactly 4 hex characters (0-9, A-F) |
| "Entries array must have at least 1 item" | Rule has no entries | Add at least one entry to the rule |
| "auditDeny requires 'options' array" | Audit enforcement missing options | Select at least one option (Send Event, Show Notification) |
| "Invalid access value" | Access type wrong for entry type | Use access types valid for the selected entry type |
- Validation - Checks against the complete schema specification
- Save - Saves the JSON as-is (may include schema violations)
You can save a policy that fails validation, but it may not work correctly when deployed to Microsoft Defender.
- Validate before deployment - Always run validation before deploying a policy
- Fix all errors - Address all validation errors, not just critical ones
- Review JSON preview - Visual inspection can catch logical errors validation doesn't
- Test with sample data - Compare your JSON structure against Microsoft's sample policies
The application couldn't load the validation schema. This shouldn't happen with a normal installation. Try:
- Reinstalling the application
- Checking for application updates
The schema validation checks structure, not logic. Verify:
- Features are enabled in Settings for your device types
- Groups actually match the devices you expect
- Rule order is correct (first match wins)
- Include/Exclude groups are configured correctly
- Getting Started - Return to basics
- Keyboard Shortcuts - Speed up your workflow