Help

Disabling Write Privileges to External Volumes

Go to solution
cdot
New Contributor

Posted on ‎07-29-2013 04:07 PM

My company's current security posture coupled with the lack of a Symantec Data Loss Prevention client (OS X) have driven a new request: "...to have the ability to write to USB/DVD disabled for all Macs"

I have been through the posts associated w/ disabling USB in its entirety, but I sure would like to stay away from overcompensating. I am also interpreting this security request as applicable to all removal media (thunderbolt/firewire etc).

Any obvious solutions for this?

Thanks in advance...

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
mm2270
Legendary Contributor III

Posted on ‎08-01-2013 11:01 AM

I'm not entirely clear if what you're looking to do is possible using strict MCX or Configuration profiles, but if not, one possibility would be a LaunchAgent or Daemon that uses the StartOnMount trigger. When it runs, it can run a script that would capture the disk ID of the just mounted volume, as in disk3s1 or whatever, unmounts the volume and remounts it as read only. It wouldn't be perfect since there would likely be a second or so before the script kicked in to unmount the volume and then remounts it, but it could work.

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
talkingmoose
Moderator
Moderator

Posted on ‎07-29-2013 09:09 PM

You can do this with managed preferences (and probably profiles too):

https://jamfnation.jamfsoftware.com/discussion.html?id=30

0 Kudos

Go to solution
cdot
New Contributor

Posted on ‎08-01-2013 09:51 AM

Before I move toward disabling external volumes entirely, I was hoping to try and limit the users to read privileges for external volumes. Is that specifically not possible?

0 Kudos

Go to solution
mm2270
Legendary Contributor III

Posted on ‎08-01-2013 11:01 AM

I'm not entirely clear if what you're looking to do is possible using strict MCX or Configuration profiles, but if not, one possibility would be a LaunchAgent or Daemon that uses the StartOnMount trigger. When it runs, it can run a script that would capture the disk ID of the just mounted volume, as in disk3s1 or whatever, unmounts the volume and remounts it as read only. It wouldn't be perfect since there would likely be a second or so before the script kicked in to unmount the volume and then remounts it, but it could work.

0 Kudos