Ideas for locking out usb ports for keys and drives

Workgroup manager has an option to do this - basically a blanket disable of all external access. I remember it being along the lines of external volumes, servers and optical discs - you could set the options to read only/no access from what I remember.

A little more extreme, you could remove the .kext file for USB/Firewire.

There's a template in the JSS for Managed Preferences that can do this. In the com.apple.systemuiserver you'll find it. You can modify it slightly as well to lock out standard users completely by requiring an administrator username and password to mount storage devices:

<dict>
     <key>blankcd</key>
     <array/>
     <key>blankdvd</key>
     <array/>
     <key>cd</key>
     <array/>
     <key>disk-image</key>
     <array/>
     <key>dvd</key>
     <array/>
     <key>harddisk-external</key>
     <array>
     <string>authenticate</string>
     <string>eject</string>
     </array>
     <key>harddisk-internal</key>
     <array/>
</dict>

That "authenticate" string is what does the prompting.

Wow. Fidelity representing on this answer hardcore. w00t

Hey Mark,

Are you looking to disable USB and FW hard drives and thumb drives only, or the whole port itself? I can think of several ideas that may work, but I'd like to hear in more detail exactly what you are trying to accomplish.

Thanks,
Tom

Is there a way to retrieve the recovery key on JSS server when external drive (ie USB flash drive) is encrypted using filevault 2? Please advise. Thank you.

Mac OS X version : 10.9 mavericks

we utilize Endpoint Protector by CoSoSy... we need to lock down all removable media to read only but needed to whitelist certain pre encrypted USB drives... EPP was the best solution at the time and still does everything we need...

I am trying to use the configuration policy, yet they don't seem to be working.

I'd like to not allow anyone to use any external hard drives or USB drives without permission from IT, but I'm just starting out seeing I can lock them out. Each user on my managed machines are administrators, and remote from my network.

I just wanted to test and so set my policy like the attached image, which shows up in my profile just fine.

Yet, I can plug in both a USB external drive/thumb drive, access data, copy to it, just fine...what am I missing?

I need to do this myself. I have a new customer who needs to make sure that their users cannot copy files onto thumb drives. I'm trying to use a configuration profile. I deselect "allow" for external disks, but it has zero effect. Very infuriating. I see the profile appear, but it's as if it's not even installed.

Anyone have better luck with this? I'm also trying to get this working, with mixed results. Of my 3 test users (myself and two others), 2 say they can read but not write, and the other says theirs is completely disabled. My machine is on Sierra 10.12.3 and the others have either the same or 10.12.4 beta 2.

It does seem to be related somewhat to the format of the disk too; I have a 16GB Lexar that is formatted NTFS and it will read but not write, a couple that are DOS-formatted (Windows boot keys) which will read and write

I did not in prior testing (where it WAS working) that I had to reboot the machine before the policy took effect.

In my testing it's broken in Sierra...I have read that there is an open ticket with Apple too.

C.

Hi, it sounds like I'm having a similar issue to the last few folks who've posted. All of our Macs in our estate are running Sierra 10.12.3, I've set up a Config Profile with external storage media disallowed. Restrictions > Media, the only thing Allowed is Internal Disks and Disk Images set to Allow, all other media types are unchecked as we don't want our users being able to connect any sort of storage to the workstations.

When I look at Profiles in System Prefs, I can see the profile has been applied, however if I plug any USB device in (I've tried a Kingston Data Traveller USB, an Integral encrypted USB, and a WD My Passport USB drive) they get picked up and appear in the Finder.

The only other solutions I've managed to come across so far are ones which involve moving/renaming/deleting the kext files under /System/Library/Extensions but it looks like SIP will prevent this nowdays.

Has anyone come across a working solution for this?

Thanks

@KSchroeder macOS only has native support for reading NTFS, that's normal behaviour not a result of any restrictions.

Opened an Apple incident (after a Jamf ticket, who pointed the finger at Apple). Jamf gave me RADAR #28496563. Apple states this is fixed in 10.12.4 beta, per my ticket to them. Need to verify this...

Hello all, with the incident we found that 10.12.3 version OS unsupports the Configuration Profiles for the USB case @KSchroeder that may be your cause for the problem. On another case you can easily bypass this issue for the mobile use case. You plugin sync your device and transfer your media with an app. Can we prevent this situation from happening? Any ideas?
Thanks,

Is there an update to the issue of configuration profiles not restricting external media? Has anyone found a solution@KSchroeder

-Gerard

The profile worked in one of my Sierra tests forgot what version ... and It' working in High Sierra too I just test that yesterday ... : ) beta 7

C

i tried blocking the USB as read only but fist time works the same and blocked and after is not to be working still are able to access the USB

Nice but do we have any extension attribute to know the USB ready only status.

We use JamF Protect and they do offer USB protection. You can allow certain drives or manufacturers. We haven’t implemented it yet but are testing it.

The best luck we had it was with following link(if you had MS Defender in your environment):
Restricts external HDD access
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-device-control-jamf?view=o365-worldwide