Skip to main content
Question

Bluetooth Device Management - Restrict/Allow

  • February 23, 2022
  • 3 replies
  • 139 views
MakeItSo
Forum|alt.badge.img+2

Hi All!

Prior to my current role, Bluetooth restrictions seemed to be all or nothing. Either users were free to connect to various Keyboards, Mice and Headsets or not at all.

Now I have a mandate to allow specific, vendor approved Keyboards, Mice and Headsets...but nothing else via Bluetooth.

What is your preferred method of managing BlueTooth devices in macOS/Jamf?  BlueTooth must be enabled but not discoverable and auto-pairing/file transfer type functionality needs to be disabled. 3rd Party Product? Config Profile? Script? Some combination of the 3?

    3 replies

    YanW
    Forum|alt.badge.img+11
    • YanW
    • Contributor
    • February 23, 2022

    I'm currently working on this. I can't figure out how to just allow specific vendor/device to connect. The only way I found so far is to disable bluetooth with <key>DisableBluetooth</key> <true/> in com.apple.MCXBluetooth then, turn on when the user need to pair a new device but that's no ideal in our environment. 

    I'm using this to turn off Bluetooth Sharing. It doesn't disable it though.

     

     

    #!/bin/sh currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }') btSharing=$(sudo -u "$currentUser" defaults -currentHost read com.apple.Bluetooth PrefKeyServicesEnabled -bool false) if [ $btSharing = "1" ]; then sudo -u "$currentUser" defaults -currentHost write com.apple.Bluetooth PrefKeyServicesEnabled -bool false fi exit 0

     

     

    Turn off bluetooth if is on. 

     

     

    #!/bin/sh ## 1 is ON, 0 is OFF btStatus=`defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState` if [ "$btStatus" = "1" ]; then sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0 && \\sudo pkill bluetoothd fi exit 0

     

     

     

     

    P
    YanW
    Forum|alt.badge.img+11
    • YanW
    • Contributor
    • February 24, 2022

    I'm currently working on this. I can't figure out how to just allow specific vendor/device to connect. The only way I found so far is to disable bluetooth with <key>DisableBluetooth</key> <true/> in com.apple.MCXBluetooth then, turn on when the user need to pair a new device but that's no ideal in our environment. 

    I'm using this to turn off Bluetooth Sharing. It doesn't disable it though.

     

     

    #!/bin/sh currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }') btSharing=$(sudo -u "$currentUser" defaults -currentHost read com.apple.Bluetooth PrefKeyServicesEnabled -bool false) if [ $btSharing = "1" ]; then sudo -u "$currentUser" defaults -currentHost write com.apple.Bluetooth PrefKeyServicesEnabled -bool false fi exit 0

     

     

    Turn off bluetooth if is on. 

     

     

    #!/bin/sh ## 1 is ON, 0 is OFF btStatus=`defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState` if [ "$btStatus" = "1" ]; then sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0 && \\sudo pkill bluetoothd fi exit 0

     

     

     

     


    Correction: com.apple.MCXBluetooth plist will completely disable it. The Configuration Profile Bluetooth Restriction will keep the paired devices but can't pair any new ones. 

    P
    Forum|alt.badge.img+3
    • pcurtner
    • New Contributor
    • October 26, 2023

    Since this topic just came up in my org, it's worth noting that Jamf Pro 10.50+ and macOS Sonoma will now have payloads to disable Bluetooth Sharing.

    Slight build on @YanW 's EA above:

    #!/bin/bash # return current status of Bluetooth Sharing # Bluetooth Sharing must have been previously enabled for this to return any numeric value regardless of current status # otherwise, a non-zero value will be returned: # # The domain/default pair of (com.apple.Bluetooth, PrefKeyServicesEnabled) does not exist currentUser=$(stat -f%Su /dev/console) state=$(sudo -u "$currentUser" defaults -currentHost read com.apple.Bluetooth PrefKeyServicesEnabled) if [ "$state" = "1" ]; then status="Enabled" elif [ "$state" = "0" ]; then status="Disabled" elif [ -z "$state" ]; then status="Never Enabled" fi echo "<result>$status</result>" exit 0

    Tested on 12.7 - 14.1.

    Terms & ConditionsCookie settingsAccessibility statement