Posted on 01-19-2015 08:55 AM
Hi All,
I'm working in a very locked down environment, once thing eludes me. It is this: I can build an image for Macbook Pros, create user profiles that won't allow mounted dmg, the USB drives are disabled too, but is there anyway one can disable the SD card reader? There is not option in image building to disable them. I have played around with scripting but with little success. So I was wondering if anyone else had any good results in this area?
Thanks Steve
Posted on 01-19-2015 09:50 AM
Posted on 01-19-2015 09:58 AM
Thanks so much for the link, I had tired that before twice, a couple of months ago, but the SD card reader still worked. I will try on a 'fresh' out of box build incase that is different. Do you know if this was a successfully resolved for the OP?
Posted on 01-19-2015 01:35 PM
@steva07 Not sure, you could try deleting the kext and restart the machine. You'd probably have to check and make sure it isn't put back after any OS updates though.
Posted on 01-19-2015 03:14 PM
If you need more usability than just all or none, try checking out http://www.endpointprotector.com
Posted on 01-20-2015 07:44 AM
as @mojo21221 stated I use endpoint protector to lock down removable media on all the macs I manage and it does a great job.
i created a feature request a while back to include this functionality into the JSS however it never went anywhere.
Posted on 01-20-2015 07:50 AM
Lot of my security-conscious clients use Endpoint Protector...
Posted on 01-20-2015 12:25 PM
This Endpoint Protector has me interested. Those of you that have used it, what did you think?
Posted on 01-20-2015 01:01 PM
Is anyone using endpoint protector and the TrustedDevices functionality? We have rolled out hardware encrypted flash drives to all of our staff that handle PHI and they are are being directed to use them but we are not currently doing anything to enforce their usage. I was asked to casually look into how we might accomplish this with OS X and endpoint protector looks like it supports just that scenario, blocking USB storage devices unless it is one of the TrustedDevices.
I had not heard of these guys so kudos to @Potter][/url for mentioning them.
Posted on 01-21-2015 05:20 AM
I've never heard of endpoint protector, but it's an interesting choice to list Sony front and center on your homepage as a customer if you're selling data loss prevention.
Posted on 01-21-2015 07:01 AM
@CasperSally - I'm not so sure about that. As far as any of us in the public know right now, the data breach at Sony wasn't about employees walking off with data on thumb drives, but about external intrusion. I haven't looked that thoroughly at Endpoint Protector, but in a quick glance on their site, it doesn't look like its supposed to offer external intrusion protection, but protection against internal data loss at the endpoints, which is a different thing.
The breach at Sony was likely the result of their security teams not adequately protecting their network. (though it might have also been an inside job)
Posted on 01-21-2015 07:03 AM
We've got a couple of customers using it. The auditing side has helped them in a few cases where employees have tried to steal company data.
They should really relive sony from the homepage though! Well spotted @CasperSally
Posted on 01-21-2015 07:07 AM
@mm2270 - I get all that, but from a purely PR standpoint, if I was selling any sort of data loss protection, I wouldn't be aligning myself with Sony. At a minimum, it seems little gain to just have to explain as you did before that it likely wasn't their fault.
Posted on 01-21-2015 07:57 AM
@Kaltsas - I have 2 USB drives (LOK-IT & Kangru) set as Trusted Devices. I also created 3 different groups such as CD/DVD Allow, USB Allow, Allow All. Then when the user get the approval can add them to the group which will give them the ability to use that drive, port or whatever. I'm happy with EPP however it would be AWESOME if the JAMF offered this ability within the JSS....