I'm looking for a solution (script, plist modification, configuration profile, anything) that will allow a user to open Disk Utility to format external drives but not be allowed to modify the internal boot drive. Is there a way to do this that I'm missing?
What about the EFI being set? This does not allow the user to boot to an external drive, Target Disk mode or Boot Camp without knowing the EFI password. But it allows me to load an external pen drive or other disk and format it.
You can do this in the JSS; Policies > Options > EFI>
No, we don't care (ironically?) about what gets done with external data storage - this policy only mandates that internal storage must be encrypted. The concern is that we will encrypt a drive and it will report as encrypted, but a user will then add a partition. That would make the machine report back as only boot drives encrypted, which would leave us open to legal liability should the machine get stolen or lost.