Block USB for specific AD users


Hey folks. I've looked through numerous threads on this but at this point my head is in a pickle, so I was wondering if anybody could point me in the right direction.

Long story short, we have a new requirement to block USB storage on all of our Macs, but only for specific members of staff. I'm a bit perplexed as to the best way to do this.

We currently bind all our Macs to AD and authenticate that way. My initial temptation is to go down the route of creating a configuration profile to block USB storage by using the "Restrictions" payload and unticking external drive access, or setting it to authenticate or read-only as a workaround. I could then scope this to our entire fleet of Macs, but add a scope limitation to a specific LDAP user group.

Is that the best way to go about it or is there a better solution in this instance? How do folks manager similar restrictions?

As ever, cheers for the help.


Honored Contributor II

@MBrownUoG A Configuration Profile with a Scope Limitation of LDAP User Groups would be the approach I'd take. In terms of crafting the Restrictions payload, you'll have better luck using ProfileCreator to create the Profile, export it as a signed .mobileconfig, and then upload it to your Jamf Pro instance. Signed so Jamf Pro doesn't try to modify the payload, and not created in Jamf Pro because the interface to create that payload will bring in every restriction, not just Media ones.


Excellent, I'll give that a try, cheers!

New Contributor

Did you have any success with this method of USB Blocking?