Posted on 10-29-2021 12:56 PM
Now that Apple deprecated the Disable of External Disks feature in their MDM framework with the release of Big Sur so this no longer functions as it did in previous versions on MacOS, has anyone been able to disable USB or USB Mass Storage Devices? I tried writing a script that unloaded the IOUSBMassStorageDriver.kext but that did not work. My company cannot have any flash drives connected to their macs but i cannot seem to get it to work. Any suggestions? We have about 50 2015 macs and the rest are 2019 USB-C macs.
Posted on 11-01-2021 10:20 AM
There are third party products that can do it, such as CrowdStrike. I am not familiar with a method to do it now without a DLP or endpoint security product though.
Posted on 11-02-2021 06:18 AM
Yeah, you'll pretty much need to use a DLP product to get this now. We're using McAfee where I am (much to my chagrin). It does the job of blocking USB and other connected drives, but McAfee as a whole is not a great product on the Mac. Plus, it lacks some important true DLP features like web upload protection. So I'd advise looking at some other product for DLP if you need to go that route.
Posted on 01-24-2023 04:04 PM
I went down a rabbit hole, but I think I found a way to leverage JAMF config profiles. I got my idea from this article.
Ventura - Allow accessories to connect (USB Type-C... - Jamf Nation Community - 276823
I followed the JAMF PRO feature request in the article above and that led me to a place where I could look up options to configure restrictions on a device.
Restrictions | Apple Developer Documentation
I found one for allowFilesUSBDriveAccess. true/false.
Leveraging true/false in the command below will allow you to create a config profile in the upload section of Application & Custom Settings.
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>allowFilesUSBDriveAccess</key> <false /> </dict> </plist>
I tested on two different macs that had ventura 13.2 and this worked for me. To undo this action, I created the same config profile with true. Once I logged out and in again, I could use USB drives. I know enough to be dangerous so if anyone wants to try this, please test on a test mac first. Based on some findings, this may only work for Ventura 13.1 and greater. I haven't tested this on any other builds.
Posted on 02-09-2023 09:14 AM
I like this. I keep getting requests from our customers to do this. Jamf Pro has the notification next to the settings that this has been deprecated. So has the function that Jamf is using been deprecated then? According to the developer documentation it's not actually deprecated.
02-14-2023 01:27 PM - edited 02-14-2023 01:39 PM
Quick question, did you test this on Intel or ARM? I can't seem to get it to work. Also, are you using "com.apple.applicationaccess" for your preference domain?
Posted on 02-15-2023 09:10 AM
Yes. to both
The 2 macs originally tested were for intel and M1 and the preference domain is com.apple.applicationaccess.
It may be that this only works for certain versions of ventura? Are you on the latest version? I haven't retested on OS13.2.1, but I can't imagine that would be making a difference.
Posted on 02-15-2023 10:16 AM
I Tested on 13.2.0. I'm gonna give it another shot today. Thanks.
Posted on 02-15-2023 11:08 AM
The link to the Apple documentation lists this as being for iOS, not for macOS. That doesn't mean it can't work on macOS, but it's possible that if it works, it's not really an intended outcome.
allowFilesUSBDriveAccess boolean If false, prevents connecting to any connected USB devices in the Files app. Requires a supervised device. Available in iOS 13.1 and later. Default: true
Posted on 02-15-2023 12:23 PM
I see multiple devices here. Mac OS 10.7+ is one of them with ipad, appletv and iOS
Restrictions | Apple Developer Documentation
Posted on 02-15-2023 12:42 PM
That's only the top listing, which is going to list all the devices/OSes that are represented on that page, but the specific setting of allowFilesUSBDriveAccess only mentions being available in iOS 13.1 and later. Based on the description of
If false, prevents connecting to any connected USB devices in the Files app.
Files.app is an iOS app, not something on macOS, so think is supposed to only be for iOS.
But really, if it works for you to block USB drive connections in macOS, that's great. I just don't think that was it's intention, so you might want to verify it still works after each OS update, since it could possibly break after one is installed.
Posted on 02-15-2023 02:05 PM
I see what your meant. Thanks for the clarification and keeping me honest. I guess it is a little bit of a gamble to block in this way. I can confirm it has been working for me, but I will take your advisement and test with each update going forward. I have to check so many things already, so what's one more. :)
Posted on 04-28-2023 03:42 AM
If you do need a deep level of control over USB / peripheral ports - don't forget https://marketplace.jamf.com/details/endpoint-protector-by-cososys
Built for macOS so gives you the greatest control possible over peripheral ports, rather than just brute-force blocking. For example, allow iPhone to charge but don't allow data transfer; block Bluetooth (except for mouse / keyboard); only allow IT mandated removable media, and only to certain user groups.....etc, etc.
Full transparency - I work for Endpoint Protector.