Jamf Nation Community

AVmcclint · ‎03-23-2016

We currently block all write access on external drives for our users via a Configuration Profile pushed via JSS. We have a need to allow the ability to write to Ironkey encrypted drives without allowing write access to unencrypted drives. On the PC side of the house we're using McAfee ePO to allow write access to only drives that have a specific hardware ID (Ironkeys). Is there a way to achieve similar functionality to the Macs? Currently I've had to remove a Mac from the scope of the USB read-only Config Profile for the duration that the user needs to copy files to an Ironkey drive. I also have to trust that the user will let me know that they are done AND that they didn't copy any files to unencrypted drives during that time.

AVmcclint · ‎03-23-2016

Another scenario is to allow writing to a regular USB stick that's been encrypted using the steps here: https://derflounder.wordpress.com/2012/07/25/encrypting-non-boot-volumes-in-mountain-lion/

It doesn't have to be an Ironkey drive.

Kaltsas · ‎03-23-2016

EPO has a DLP agent for OS X but it appears to be frighteningly under documented. We are investigating this ourselves (we have an organizational requirement being passed down to encrypt USB drives). Currently a product called Endpoint Protector is high on our list of both meeting our requirements and being cross platform. The McAfee product was a nonstarter for me (even as mcafee customers) because the documentation was poor and the sales call consisted of "yep we have a mac agent". Can you, like, detail it's function. "nope, it's a mac agent"

Am very interested to know what anyone else is doing in this realm. I am thinking our process is going to be similar to yours, we currently encourage users to use Aegis hardware encrypted drives and I expect we'll just make that a hard requirement for Write access and give read access to everything else.

Jamf Nation Community

Ironkey and read-only Configuration Profile