Jamf Nation Community

Apple moved this functionality from the MDM framework to the Security framework a few years ago. If you check the restrictions payload for a configuration profile you still see check boxes for this stuff with deprecated next to it.

There is nothing Jamf Pro can do in this space; you need to get the right tool for the job. DLP is not cheap, and your employer needs to be prepared to pay for it.

@deep786 Are you talking about USB devices in general, or specifically USB external storage devices? If the latter, would forcing any external physical storage device into Read-Only mode be a viable option? If it is you can achieve that using Jamf Pro to install a Launch Daemon and a script. In simplest terms the Launch Daemon would be configured to trigger whenever a drive was mounted and it would run a script to force any external physical storage devices into Read-Only mode. 

We have achieve this through our EDR Solution SentinelOne

I thought I read somewhere that declarations were being implemented sometime soon for managing USB devices again?

Apple did add media blocking to DDM in macOS Sequoia. Jamf announced support for this feature at JNUC last October through Blueprints, but has not released it yet. Hopefully in the next few months. 

Hi @deep786 

Here is the script for the Mac Apple Silicon Device :
Testing on Mac M1 OS Sonoma works 
Testing External Disk : Flashdisk Sandisk , SSD External ADATA
Script Name : AutoEjectDiskExternal.sh
Its function is every time an external disk is plugged into the Mac it will be ejected.

#!/bin/bash
#CreateBy Agung sujiwo 22/01/2025
#AutoEjectDiskExternal.sh
#Function to eject a specific disk

#Fuction eject disk.
eject_disk() {
    local disk=$1
    echo "Ejecting $disk..."
    diskutil eject "$disk" >/dev/null 2>&1
    if [ $? -eq 0 ]; then
        echo "Successfully ejected $disk."
    else
        echo "Failed to eject $disk. You might need admin privileges."
    fi
}

# Main loop to monitor USB drives every 5 Seconds
while true; do
    # Get a list of all external disks (exclude internal drives)
    connected_disks=$(diskutil list | grep external | awk '{print $1}')
    
    if [ ! -z "$connected_disks" ]; then
        echo "Detected external disk(s):"
        echo "$connected_disks"
        
        # Eject each detected external disk
        for disk in $connected_disks; do
            eject_disk "$disk"
        done
    fi

    # Sleep for 5 seconds before re-checking
    sleep 5
done

Here is the script to kill the running AutoEjectDiskExternal.sh script
Script Name : ForceQuitAutoEjectDiskExternal.sh

#!/bin/bash
#Create by Agung sujiwo 22/1/2025
#ForceQuitAutoEjectDiskExternal.sh
#Kill Script AutoEjectDiskExternal.sh

pkill -f AutoEjectDiskExternal.sh

In the next step, you can add this script, create a policy with the 'Login' trigger, and assign the appropriate scope. If you have an alternative approach or method, feel free to implement it.