Now that Apple deprecated the Disable of External Disks feature in their MDM framework with the release of Big Sur so this no longer functions as it did in previous versions on MacOS, has anyone been able to disable USB or USB Mass Storage Devices? I tried writing a script that unloaded the IOUSBMassStorageDriver.kext but that did not work. My company cannot have any flash drives connected to their macs but i cannot seem to get it to work. Any suggestions? We have about 50 2015 macs and the rest are 2019 USB-C macs.
Yeah, you'll pretty much need to use a DLP product to get this now. We're using McAfee where I am (much to my chagrin). It does the job of blocking USB and other connected drives, but McAfee as a whole is not a great product on the Mac. Plus, it lacks some important true DLP features like web upload protection. So I'd advise looking at some other product for DLP if you need to go that route.
I went down a rabbit hole, but I think I found a way to leverage JAMF config profiles. I got my idea from this article.
I followed the JAMF PRO feature request in the article above and that led me to a place where I could look up options to configure restrictions on a device.
I found one for allowFilesUSBDriveAccess. true/false.
Leveraging true/false in the command below will allow you to create a config profile in the upload section of Application & Custom Settings.
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>allowFilesUSBDriveAccess</key> <false /> </dict> </plist>
I tested on two different macs that had ventura 13.2 and this worked for me. To undo this action, I created the same config profile with true. Once I logged out and in again, I could use USB drives. I know enough to be dangerous so if anyone wants to try this, please test on a test mac first. Based on some findings, this may only work for Ventura 13.1 and greater. I haven't tested this on any other builds.
I like this. I keep getting requests from our customers to do this. Jamf Pro has the notification next to the settings that this has been deprecated. So has the function that Jamf is using been deprecated then? According to the developer documentation it's not actually deprecated.
Yes. to both
The 2 macs originally tested were for intel and M1 and the preference domain is com.apple.applicationaccess.
It may be that this only works for certain versions of ventura? Are you on the latest version? I haven't retested on OS13.2.1, but I can't imagine that would be making a difference.
The link to the Apple documentation lists this as being for iOS, not for macOS. That doesn't mean it can't work on macOS, but it's possible that if it works, it's not really an intended outcome.
allowFilesUSBDriveAccess boolean If false, prevents connecting to any connected USB devices in the Files app. Requires a supervised device. Available in iOS 13.1 and later. Default: true
That's only the top listing, which is going to list all the devices/OSes that are represented on that page, but the specific setting of allowFilesUSBDriveAccess only mentions being available in iOS 13.1 and later. Based on the description of
If false, prevents connecting to any connected USB devices in the Files app.
Files.app is an iOS app, not something on macOS, so think is supposed to only be for iOS.
But really, if it works for you to block USB drive connections in macOS, that's great. I just don't think that was it's intention, so you might want to verify it still works after each OS update, since it could possibly break after one is installed.
I see what your meant. Thanks for the clarification and keeping me honest. I guess it is a little bit of a gamble to block in this way. I can confirm it has been working for me, but I will take your advisement and test with each update going forward. I have to check so many things already, so what's one more. :)
If you do need a deep level of control over USB / peripheral ports - don't forget https://marketplace.jamf.com/details/endpoint-protector-by-cososys
Built for macOS so gives you the greatest control possible over peripheral ports, rather than just brute-force blocking. For example, allow iPhone to charge but don't allow data transfer; block Bluetooth (except for mouse / keyboard); only allow IT mandated removable media, and only to certain user groups.....etc, etc.
Full transparency - I work for Endpoint Protector.