Skip to main content

Hey everyone. So Apple being Apple they scoped their Configuration Profiles wrong in relation to the SD Card slot and as we all know SIP has broken a lot of our KEXT and other scripts that control these items. At the heart of this issue is at some point Apple re-scoped the SD Card Slot/Reader as an Internal Hard Drive. In the Policy Payload itself, in relation to external media, you have an option to enable External Media, Read, Write, and Block. This effects USB media, Thunderbolt media, and Target Disk Mode. What it does not include is the SD Card slot. After trying a lot of different methods and a great discussion with Chris Cohoon we figured out that this is indeed an Apple issue and the remediation options are very limited for people with strict compliance and audit reporting requirements. We spoke with some Apple Engineers this morning to go over our findings and they not only saw what we are seeing but they agreed that the Configuration Profile is not working as intended. Chris Williams, our Apple Engineer Rep. has taken the initiative to file an Internal Apple Radar (for those of you who aren't former employees of Apple its an Apple internal bug report similar to the Apple Developer bug reports.) This is good news and hopefully Apple can fix these Configuration Profiles soon. I'd be interested to hear from others who are having the same issue and too get a small "poll" on how you dealt with it.



Post the following number the represents your methodology:



1.) - SD Card slot Profile is broken, and we have a custom script that still fixes it even with SIP controls.
2.) - SD Card slot Profile is broken, and our scripts have stopped working, we have no remediation.
3.) - SD Card slot Profile is broken, and we gave up trying to manage it
4.) - SD Card slot Profile never broke (please list method of managing and OS)
5.) - Whats an SD Card slot?



Thanks everyone, this is helpful data we will be using to help expedite this being fixed to Apple. We have their attention, who knows for how long, so we are going to push for this to get remediated ASAP.



Matt
VP - Barclays

Example of response.



2



We had scripts in place but they stopped working. In order to get the CP's active we rescoped the CP to block Internal as well which not only disables SD cards but also secondary drives. We are also seeing random Prohibitory and ? Folders. Remediation is ongoing with Apple.



Thanks again everyone this data will be going straight to Apple so please try and give us a response.

3.) - SD Card slot Profile is broken, and we gave up trying to manage it



Sometimes I want to replace all our new hardware with Performa 6400s. "Security through obscurity"

Yeah, I know what you mean.

@AVmcclint I miss my Performa 6400! That machine was amazing for it's day. I had the TV card for it and was the coolest thing when I was in college. I remember I got a daughter board for it to upgrade the CPU as well, so we lasted quite a bit of time.



But back to the subject. Is there a method to just block all SD usage? Because that would force a user to use a USB card reader and thus be considered an external hard drive.

Reply


Terms & ConditionsCookie settings