Have you looked at a config profile? There are options to restrict external storage devices to read only, or no access at all..

If I run this one it will move this single extension to the JAMF folder:

if [ -d "$targetVolume/Library/Application Support/JAMF/DisabledExtensions/" ]; then
/bin/mv "$targetVolume/System/Library/Extensions/IOUSBMassStorageClass.kext"

But I need all of those moved:
1.IOUSBMassStorageClass.kext
2.IOFireWireSerialBusProtocolTransport.kext
3.OUSBAttachedSCSI.kext
4.OUSBFamily.kext

If I manually go to System/Library/Extensions and delete those four extensions it will work.

I'm not sure this is a great idea, but in terms of getting the script working:

#check if the directory exists, if not then create it
[ -d "$targetVolume/Library/Application Support/JAMF/DisabledExtensions/" ] || /bin/mkdir -p "$targetVolume/Library/Application Support/JAMF/DisabledExtensions/"
#check if each file exists, if so then move it to the disabled directory
[ -e "$targetVolume/System/Library/Extensions/IOUSBMassStorageClass.kext" ] && /bin/mv "$targetVolume/System/Library/Extensions/IOUSBMassStorageClass.kext" "$targetVolume/Library/Application Support/JAMF/DisabledExtensions/"
[ -e "$targetVolume/System/Library/Extensions/IOFireWireSerialBusProtocolTransport.kext" ] && /bin/mv "$targetVolume/System/Library/Extensions/IOFireWireSerialBusProtocolTransport.kext" "$targetVolume/Library/Application Support/JAMF/DisabledExtensions/"
[ -e "$targetVolume/System/Library/Extensions/IOUSBAttachedSCSI.kext" ] && /bin/mv "$targetVolume/System/Library/Extensions/IOUSBAttachedSCSI.kext" "$targetVolume/Library/Application Support/JAMF/DisabledExtensions/"
[ -e "$targetVolume/System/Library/Extensions/IOUSBFamily.kext" ] && /bin/mv "$targetVolume/System/Library/Extensions/IOUSBFamily.kext" "$targetVolume/Library/Application Support/JAMF/DisabledExtensions/"

Or clean it up with an array and a for loop:

#check if the directory exists, if not then create it
[ -d "$targetVolume/Library/Application Support/JAMF/DisabledExtensions/" ] || /bin/mkdir -p "$targetVolume/Library/Application Support/JAMF/DisabledExtensions/"

#place file names in an array
declare -a KEXTArray=("IOUSBMassStorageClass.kext" "IOFireWireSerialBusProtocolTransport.kext" "IOUSBAttachedSCSI.kext" "IOUSBFamily.kext")

#for each file name in the array check if it exists, if it does then move it.
for KEXT in "${KEXTArray[@]}"; do
    [ -e "$targetVolume/System/Library/Extensions/$KEXT" ] && /bin/mv "$targetVolume/System/Library/Extensions/$KEXT" "$targetVolume/Library/Application Support/JAMF/DisabledExtensions/"
done

Note: the >_ symbol in the JAMF nation posting tools is the script block, it makes it easier to read code.

Self service pop up saying there was a problem with the scrip.

Here is the full scrip:

!/bin/sh

########################################################################################

# Copyright (c) 2010, JAMF Software, LLC. All rights reserved.

Redistribution and use in source and binary forms, with or without

modification, are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright

notice, this list of conditions and the following disclaimer.

* Redistributions in binary form must reproduce the above copyright

notice, this list of conditions and the following disclaimer in the

documentation and/or other materials provided with the distribution.

* Neither the name of the JAMF Software, LLC nor the

names of its contributors may be used to endorse or promote products

derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY

EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY

DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND

ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

########################################################################################

# SUPPORT FOR THIS PROGRAM

This program is distributed "as is" by JAMF Software, LLC's Resource Kit team. For more

information or support for the Resource Kit, please utilize the following resources:

http://list.jamfsoftware.com/mailman/listinfo/resourcekit

http://www.jamfsoftware.com/support/resource-kit

Please reference our SLA for information regarding support of this application:

http://www.jamfsoftware.com/support/resource-kit-sla

########################################################################################

# ABOUT THIS PROGRAM

NAME

disableUSB.sh -- Disable the USB drivers.

SYNOPSIS

sudo disableUSB.sh

sudo disableUSB.sh <targetVolume> <computerName> <currentUsername>

DESCRIPTION

This script disables the USB drivers, thereby disabling all functionality of the USB ports.

After running this script, the USB drivers will be moved to:

/Library/Application Support/JAMF/DisabledExtensions/

This way, the USB drivers could be re-enabled in the future. After running this script,

the machine will need to be rebooted for the settings to take effect.

########################################################################################

# HISTORY

Version: 1.1

- Created by Nick Amundsen on August 6th, 2008

- Modified by Nick Amundsen on June 25th, 2009

########################################################################################

# DEFINE VARIABLES & READ IN PARAMETERS

########################################################################################

HARDCODED VALUE FOR "targetVolume" IS SET HERE

targetVolume=""

CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 1 AND, IF SO, ASSIGN TO "USERNAME"

if [ "$1" != "" ] && [ "$targetVolume" == "" ];then targetVolume=$1
fi

########################################################################################

# SCRIPT CONTENTS - DO NOT MODIFY BELOW THIS LINE

########################################################################################

echo "Disabling the USB Drivers..."

if [ -d "$targetVolume/Library/Application Support/JAMF/DisabledExtensions/" ]; then /bin/mv "$targetVolume/System/Library/Extensions/IOUSBMassStorageClass.kext" "$targetVolume/Library/Application Support/JAMF/DisabledExtensions/"
else /bin/mkdir -p "$targetVolume/Library/Application Support/JAMF/DisabledExtensions/" /bin/mv "$targetVolume/System/Library/Extensions/IOUSBMassStorageClass.kext" "$targetVolume/Library/Application Support/JAMF/DisabledExtensions/"
fi

@Zeek Pretty sure that those .kext locations are in som manner SIP protected.

So doubt this will work with 10.11.

+1 Config Profile or MCX if you like

+1 for SIP will stop you

$ ls -lOe /System/Library/Extensions/IOUSBMassStorageClass.kext
total 0
drwxr-xr-x  6 root  wheel  restricted 204 17 Feb 16:17 Contents

Does anyone have a good solution for disabling USB for certain groups?