USB Block Exemption

If the only function of the blueprint is to Block the use of USB drives, you could exclude the managed client from the group that the blueprint is scoped to. However, if that same group is used elsewhere, the client would then be excluded from the policies, config profiles, apps, etc. that it’s scoped to.

If the Blueprint has multiple setting enabled, then you could create a second blueprint that only disables the use of USB drives and only includes the clients that it should be disabled on in the scope. 

Thanks, Kimberly. Is there a simple way to clone the existing Blueprint? I can’t find any option. That way I could simply enable USB there and only apply to the single client in question.

I recommend making a blueprint specific for this. Include a smart group that you can add exclusions to. That’s how I plan to do it. you can also use jamf protect or something like crowdstrike.

Agreed with the above. One of the things we’ve found as we’ve begun implementing Blueprints, is that you really need to think about the deployment and use cases for areas where you might have exemptions. They can be layered and scoped dynamically to help with this. Just know if you have competing/conflicting in advance the MOST restrictive part of a Blueprint/Configuration profile will usually be the active one. 

With that said, jump on some of the Jamf training resources! The 100 and 170 are free to take and cheap to test on before moving on to bigger trainings!