Hey folks. I've looked through numerous threads on this but at this point my head is in a pickle, so I was wondering if anybody could point me in the right direction.
Long story short, we have a new requirement to block USB storage on all of our Macs, but only for specific members of staff. I'm a bit perplexed as to the best way to do this.
We currently bind all our Macs to AD and authenticate that way. My initial temptation is to go down the route of creating a configuration profile to block USB storage by using the "Restrictions" payload and unticking external drive access, or setting it to authenticate or read-only as a workaround. I could then scope this to our entire fleet of Macs, but add a scope limitation to a specific LDAP user group.
Is that the best way to go about it or is there a better solution in this instance? How do folks manager similar restrictions?
As ever, cheers for the help.
