Disable SMB mounting from the client side

ShaunRMiller83
Contributor III

I was wondering if anyone knew of a good way to disable the ability to mount an SMB network volume from the client side.

The situation:
I have large groups of users running 10.7.5 who should be mounting to our servers (Windows 2008 R2 with Extreme-Z IP) via AFP, but still are mounting via SMB. This is causing weird one off type problems, which in a "broad sword" move I know I can just disable SMB from the server side, but we also have Windows users connecting to these shares, which eliminates this as an option. I have sent out how-to documents to these users on how to mount via AFP, which has largely been ignored.

Any insight or feedback would be greatly appreciated.

Shaun

3 REPLIES 3

mm2270
Legendary Contributor III

Well, I'd imagine there are probably a number of ways to attack this problem.

First, I'd try to actually get the end users to listen and follow the instructions you've sent out to them. Whether by getting management involved or some other way, try to solve this first by human policy and not IT policy. That's always going to be best.

However, I realize this isn't always possible. Some environments don't give a damn and think its up to us (admins) to figure everything out without getting their hands dirty on enforcing any people level policies.

If that is your case, while you might be able to disable SMB mounting, I actually don't know how to do that, and I'd imagine it may cause other unwanted issues for you.

You may be better off designing a user level LaunchAgent (lives in /Library/LaunchAgents/) that can use the 'StartOnMount' key to trigger a locally stored script as soon as a filesystem is mounted. The script could do something like checking for any smb mounted shares and matching their names against a known list of shares, and if any are found, throw up a message with whatever messaging tool you want (AppleScript, jamf binary, jamfHelper, cocoaDialog, etc) explaining to the user that they mounted it wrong, maybe even providing a URL to a location on the documentation you referred to on the proper method, and then unmounting the share in the background immediately after. That way they will never be able to actually use it. Any mount attempt would chastise them and unmount the share right away.

There are probably better or faster ways, but here's one way to list any SMB mounts-

system_profiler SPNetworkVolumeDataType | grep -B 2 "smbfs" | sed -e '/Type:/d;/^$/d;/--/d'

For more info on some of the keys for LaunchAgents and Daemons, take a look here:
http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man5/launchd.plist.5...

To create LauncAgents really easily, take a look at Lingon. There is a paid App Store version and an older free version still out there that should work just fine on 10.7. I think the free version still works fine on 10.8 as a matter of fact.

RobertPetrie
New Contributor II

Here's the script I ended up with.

The $SMBShareList part generates a list of all SMB shares mounted on the Mac if they have more than one and creates the $SMBShareList variable.

The until loop checks for SMB shares and unmounts them 1 by 1 from the end of the list until the list of mounted shares is empty and the $SMBShare variable has no value.

!/bin/bash

DATE=$(date)

SMBShareList=$(system_profiler SPNetworkVolumeDataType | grep -A 1 "smbfs" | awk '{print $3}' | sed '/^$/d')
echo "$DATE SMB Shares currently mounted: $SMBShareList" >> /var/log/jamf.log

SMBShare=$(system_profiler SPNetworkVolumeDataType | grep -A 1 "smbfs" | awk 'END{print}' | awk '{print $3}')

until [ -z $SMBShare ]; do
echo "$DATE SMB Share found: $SMBShare" >> /var/log/jamf.log
umount -f $SMBShare
echo "$DATE SMB Share unmounted: $SMBShare" >> /var/log/jamf.log
SMBShare=$(system_profiler SPNetworkVolumeDataType | grep -A 1 "smbfs" | awk 'END{print}' | awk '{print $3}')
done

exit 0

sdagley
Esteemed Contributor II

@RobertPetrie When positing code please use the >_ icon in the toolbar above the text entry field to format it correctly (or just add a line of 3 backticks ``` before and after the code block)