Ideas for locking out usb ports for keys and drives

barber
New Contributor

Head of security has asked me to investigate whether its possible to restrict the use of usb keys and firewire drives on company macs. Anyone got any ideas or had any exposure in this area? Of course can't fully disable them because of keyboards & mice (saw a script for this). I'm assuming some sort of 3rd party product in the end might be the best solution.

1 ACCEPTED SOLUTION

lance_ogletree
Contributor
Contributor

Don't forget about Configuration Profiles for 10.7 and beyond. The restrictions payload has a Media section that allows you to restrict the behavior of external media types.

View solution in original post

21 REPLIES 21

Mbentley777
Contributor

Workgroup manager has an option to do this - basically a blanket disable of all external access. I remember it being along the lines of external volumes, servers and optical discs - you could set the options to read only/no access from what I remember.

A little more extreme, you could remove the .kext file for USB/Firewire.

jarednichols
Honored Contributor

There's a template in the JSS for Managed Preferences that can do this. In the com.apple.systemuiserver you'll find it. You can modify it slightly as well to lock out standard users completely by requiring an administrator username and password to mount storage devices:

<dict>
     <key>blankcd</key>
     <array/>
     <key>blankdvd</key>
     <array/>
     <key>cd</key>
     <array/>
     <key>disk-image</key>
     <array/>
     <key>dvd</key>
     <array/>
     <key>harddisk-external</key>
     <array>
     <string>authenticate</string>
     <string>eject</string>
     </array>
     <key>harddisk-internal</key>
     <array/>
</dict>

That "authenticate" string is what does the prompting.

jarednichols
Honored Contributor

Wow. Fidelity representing on this answer hardcore. w00t

lance_ogletree
Contributor
Contributor

Don't forget about Configuration Profiles for 10.7 and beyond. The restrictions payload has a Media section that allows you to restrict the behavior of external media types.

tlarkin
Honored Contributor

Hey Mark,

Are you looking to disable USB and FW hard drives and thumb drives only, or the whole port itself? I can think of several ideas that may work, but I'd like to hear in more detail exactly what you are trying to accomplish.

Thanks,
Tom

roma_bartolome
New Contributor

Is there a way to retrieve the recovery key on JSS server when external drive (ie USB flash drive) is encrypted using filevault 2? Please advise. Thank you.

Mac OS X version : 10.9 mavericks

spotter
New Contributor III

we utilize Endpoint Protector by CoSoSy... we need to lock down all removable media to read only but needed to whitelist certain pre encrypted USB drives... EPP was the best solution at the time and still does everything we need...

rgranholm
Contributor

I am trying to use the configuration policy, yet they don't seem to be working.

I'd like to not allow anyone to use any external hard drives or USB drives without permission from IT, but I'm just starting out seeing I can lock them out. Each user on my managed machines are administrators, and remote from my network.

I just wanted to test and so set my policy like the attached image, which shows up in my profile just fine.

Yet, I can plug in both a USB external drive/thumb drive, access data, copy to it, just fine...what am I missing?

6bb74638fa4046539203d5e2f66afca2
412a81108958484db8d50ff0b8235336

howie_isaacks
Valued Contributor II

I need to do this myself. I have a new customer who needs to make sure that their users cannot copy files onto thumb drives. I'm trying to use a configuration profile. I deselect "allow" for external disks, but it has zero effect. Very infuriating. I see the profile appear, but it's as if it's not even installed.

KSchroeder
Contributor

Anyone have better luck with this? I'm also trying to get this working, with mixed results. Of my 3 test users (myself and two others), 2 say they can read but not write, and the other says theirs is completely disabled. My machine is on Sierra 10.12.3 and the others have either the same or 10.12.4 beta 2.

It does seem to be related somewhat to the format of the disk too; I have a 16GB Lexar that is formatted NTFS and it will read but not write, a couple that are DOS-formatted (Windows boot keys) which will read and write

I did not in prior testing (where it WAS working) that I had to reboot the machine before the policy took effect.

gachowski
Valued Contributor II

In my testing it's broken in Sierra...I have read that there is an open ticket with Apple too.

C.

Therion87
New Contributor

Hi, it sounds like I'm having a similar issue to the last few folks who've posted. All of our Macs in our estate are running Sierra 10.12.3, I've set up a Config Profile with external storage media disallowed. Restrictions > Media, the only thing Allowed is Internal Disks and Disk Images set to Allow, all other media types are unchecked as we don't want our users being able to connect any sort of storage to the workstations.

When I look at Profiles in System Prefs, I can see the profile has been applied, however if I plug any USB device in (I've tried a Kingston Data Traveller USB, an Integral encrypted USB, and a WD My Passport USB drive) they get picked up and appear in the Finder.

The only other solutions I've managed to come across so far are ones which involve moving/renaming/deleting the kext files under /System/Library/Extensions but it looks like SIP will prevent this nowdays.

Has anyone come across a working solution for this?

Thanks

Look
Valued Contributor III

@KSchroeder macOS only has native support for reading NTFS, that's normal behaviour not a result of any restrictions.

KSchroeder
Contributor

Opened an Apple incident (after a Jamf ticket, who pointed the finger at Apple). Jamf gave me RADAR #28496563. Apple states this is fixed in 10.12.4 beta, per my ticket to them. Need to verify this...

aemregursu
New Contributor

Hello all, with the incident we found that 10.12.3 version OS unsupports the Configuration Profiles for the USB case @KSchroeder that may be your cause for the problem. On another case you can easily bypass this issue for the mobile use case. You plugin sync your device and transfer your media with an app. Can we prevent this situation from happening? Any ideas?
Thanks,

GerardWeese
New Contributor

Is there an update to the issue of configuration profiles not restricting external media? Has anyone found a solution@KSchroeder

-Gerard

gachowski
Valued Contributor II

The profile worked in one of my Sierra tests forgot what version ... and It' working in High Sierra too I just test that yesterday ... : ) beta 7

C

mani2care
Contributor

i tried blocking the USB as read only but fist time works the same and blocked and after is not to be working still are able to access the USB7d169424c21a4895b704b8ceec62b58b

mani2care
Contributor

Nice but do we have any extension attribute to know the USB ready only status.

mwu1876
Contributor

We use JamF Protect and they do offer USB protection. You can allow certain drives or manufacturers. We haven’t implemented it yet but are testing it.

ali_fadavinia
New Contributor III

The best luck we had it was with following link(if you had MS Defender in your environment):
Restricts external HDD access
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-device-control-jamf?vi...