Blueprint using Disk Management Policy payload does not allow external USB drives to mount

Just tried a test here.
Blueprint set to read only for both external drives and mounted servers.
Plug in a USB drive and it fails to mount.
I can see the externals in Disk Utility, but for me they fail to mount from there. 

My previous testing of this functionality has taken me down the Jamf Protect route. It works from there, plus you can apply exceptions.

Just to add. In Disk utility, if I get info on the drive that will not mount, it shows it up as Not Writeable.

​@howie_isaacks  on your softwrae blueprints, are you able to get the install system datafiles and security updates Key to turn on? aksing as I need it for Apple Pay Wallet and can’t seem to get it enbab;ed

​@howie_isaacks  tested here same thing I see them (Disk Utililty)  but not able to mount

It sounds like the blueprint is blocking external drives entirely instead of setting them to read-only. Double-check the Disk Management payload settings, especially any options that disable mounting removable media. Also try removing the blueprint to confirm it’s the cause, then adjust the policy to allow mounting while restricting write access.

Removing the blueprint fixed the “problem” → disk is mount normally

I uploaded the PLIST that is generated by this blueprint here to show that it is not applying a setting to block mounting drives. Unlike a configuration profile, the blueprint payload does not have a lot of options to select. All we get is “Allowed”, “Disallowed”, and “Read only”. I actually like the simplicity. ​It’s just not working! @PaulHazelden We will soon be testing Jamf Protect. Should we not be able to deploy it (because of hidebound policies and old-school IT thinking), I want the blueprint to work. Jamf put it in there. It should work! It’s not like I’m using something that is deprecated. I am very annoyed that when the geniuses at Jamf added blueprints to Jamf Pro, they didn’t bother to give us the ability to track which computers have them deployed. All we see is the number of computers that have the blueprint and the number that don’t yet have it. In the case of this blueprint, I can create an extension attribute that tracks the presence of the PLIST it creates, but the one for software updates management is more difficult. For software updates management, the PLIST is located at /private/var/db/softwareupdate/SoftwareUpdateDDMStatePersistence.plist. I noticed that this PLIST does not only contain data from the blueprint. It also contains data added when I have used the Software Updates feature in Jamf Pro to enforce updates. Just having that particular PLIST does not mean the computer got the blueprint.

I agree, if it is there it should work.
I love Protect, it is easy and simple to set up and deploy, and it gets on with it. And the way it handles the external drives is awesome, You can block all except the list of serial numbers you choose. There are also many other integrations that you can do with it and Jamf for compliance.

I am really anxious to check it out. My personal MacBook Pro is managed by Jamf Now and I have Jamf Protect installed on it. This version of Jamf Protect is the most basic. It’s just doing malware protection. That has been my only experience with Jamf Protect. Question about scoping for disk management, can we exclude using groups, or exclude using Entra ID group membership? We currently have a group in Entra ID made up of users who are allowed read and write access. Proofpoint DLP does a lousy job of knowing if Mac users are in the group since they’re not bound to AD (thank goodness!!!). I have been giving the Proofpoint people suggestions on how their crappy software can check a user’s group membership but unfortunately that crapware was created by people who expected Macs to be bound to AD. I guess they don’t visit the Mac Admins slack channel or Jamf Nation to find out what our current best practices are.

The Protect setup comes through as a profile, so you then scope it through to whatever Macs you can create groups for in Jamf.
This is how one of my Protect setups looks like in Configuration Profiles in Jamf Pro. I can scope it to all the normal places that you can scope a profile.
As I have been testing this, not got it into full production yet, I created multiple copies of the Plan in Protect, and brought those into Jamf, this is one of them. That way I can eliminate my test Macs as I want from the main Jamf protect setup, without compromising them, but I can apply the different settings to the plans and make changes to the test Macs only.

The Protect setup comes through as a profile, so you then scope it through to whatever Macs you can create groups for in Jamf.
This is how one of my Protect setups looks like in Configuration Profiles in Jamf Pro. I can scope it to all the normal places that you can scope a profile.
As I have been testing this, not got it into full production yet, I created multiple copies of the Plan in Protect, and brought those into Jamf, this is one of them. That way I can eliminate my test Macs as I want from the main Jamf protect setup, without compromising them, but I can apply the different settings to the plans and make changes to the test Macs only.

 

Very nice! Thank you for sharing! As a Jamf Now customer, I get the stripped down Jamf Protect. I was disappointed about that, but I wanted to learn Jamf Now so having it has been useful. I have used it a few times to protect some friends from their bad browsing habits.

I have not done anything with those settings. I have kept my blueprints isolated to specific tasks. Clearly there are flaws in how blueprints get process by macOS.

Here’s the answer to this. This is absolutely moronic! My goal was to restrict external drives to allow only read access to them. That’s a very common DLP practice. What is not a common DLP practice is to have drives that are read-only and push a managed setting to Macs to allow them. Without the managed setting, a read-only drive will mount read-only. Period. Maybe I’m being a moron. Can someone help me understand why this is a good thing?

https://developer.apple.com/documentation/devicemanagement/diskmanagementsettingsrestrictionsobject
 

I will run a test with Jamf Protect and see how that goes.

Ok, With Read Only set in Jamf Protect, the external drive will mount as read only.

Thanks! You have just given me another reason to push for using Jamf Protect. My goal is to stop using a lot of the agents we are currently using and replace them with Jamf Protect.

​@howie_isaacks When you set up your Jamf Protect. I set up several “Plans” They are all pretty much the same thing, but it allows you to change settings in one Plan, and have that assigned to Testing devices, and only mess with them. It will leave your main set of Live devices safe until you want them to change. Then in Protect you simply download the plan config, and upload that to your Jamf. Changing how a drive is restricted only takes a few seconds, do the change in Protect -save the change, and the Mac picks up the change straight away.