Bluetooth Device Management - Restrict/Allow

Hi All!

Prior to my current role, Bluetooth restrictions seemed to be all or nothing. Either users were free to connect to various Keyboards, Mice and Headsets or not at all.

Now I have a mandate to allow specific, vendor approved Keyboards, Mice and Headsets...but nothing else via Bluetooth.

What is your preferred method of managing BlueTooth devices in macOS/Jamf? BlueTooth must be enabled but not discoverable and auto-pairing/file transfer type functionality needs to be disabled. 3rd Party Product? Config Profile? Script? Some combination of the 3?

Page 1 / 1

I'm currently working on this. I can't figure out how to just allow specific vendor/device to connect. The only way I found so far is to disable bluetooth with <key>DisableBluetooth</key> <true/> in com.apple.MCXBluetooth then, turn on when the user need to pair a new device but that's no ideal in our environment.

I'm using this to turn off Bluetooth Sharing. It doesn't disable it though.

#!/bin/sh

currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }')

btSharing=$(sudo -u "$currentUser" defaults -currentHost read com.apple.Bluetooth PrefKeyServicesEnabled -bool false)

if [ $btSharing = "1" ]; then

sudo -u "$currentUser" defaults -currentHost write com.apple.Bluetooth PrefKeyServicesEnabled -bool false

fi

exit 0

Turn off bluetooth if is on.

#!/bin/sh

## 1 is ON, 0 is OFF
btStatus=`defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState`

if [ "$btStatus" = "1" ]; then

	sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0 && \\sudo pkill bluetoothd

fi
exit 0

I'm currently working on this. I can't figure out how to just allow specific vendor/device to connect. The only way I found so far is to disable bluetooth with <key>DisableBluetooth</key> <true/> in com.apple.MCXBluetooth then, turn on when the user need to pair a new device but that's no ideal in our environment.

I'm using this to turn off Bluetooth Sharing. It doesn't disable it though.

#!/bin/sh

currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }')

btSharing=$(sudo -u "$currentUser" defaults -currentHost read com.apple.Bluetooth PrefKeyServicesEnabled -bool false)

if [ $btSharing = "1" ]; then

sudo -u "$currentUser" defaults -currentHost write com.apple.Bluetooth PrefKeyServicesEnabled -bool false

fi

exit 0

Turn off bluetooth if is on.

#!/bin/sh

## 1 is ON, 0 is OFF
btStatus=`defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState`

if [ "$btStatus" = "1" ]; then

	sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0 && \\sudo pkill bluetoothd

fi
exit 0

Correction: com.apple.MCXBluetooth plist will completely disable it. The Configuration Profile Bluetooth Restriction will keep the paired devices but can't pair any new ones.

Since this topic just came up in my org, it's worth noting that Jamf Pro 10.50+ and macOS Sonoma will now have payloads to disable Bluetooth Sharing.

Slight build on @YanW 's EA above:

#!/bin/bash

# return current status of Bluetooth Sharing

# Bluetooth Sharing must have been previously enabled for this to return any numeric value regardless of current status
# otherwise, a non-zero value will be returned:
#
#   The domain/default pair of (com.apple.Bluetooth, PrefKeyServicesEnabled) does not exist


currentUser=$(stat -f%Su /dev/console)

state=$(sudo -u "$currentUser" defaults -currentHost read com.apple.Bluetooth PrefKeyServicesEnabled)

if [ "$state" = "1" ]; then
        status="Enabled"

elif [ "$state" = "0" ]; then
        status="Disabled"

elif [ -z "$state" ]; then
        status="Never Enabled"
fi

echo "<result>$status</result>"

exit 0

Tested on 12.7 - 14.1.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded