MacOS Sierra using JSS 9.96 Disabling External Disks via Config Profiles not working...

drheiner
New Contributor III

Has anyone tested creating the Configuration profile using JSS 9.96 for MacOS Sierra to disable the "External Disk"? I have try installing the profile manually and via MDM with this disable however the USB still shows up. The same profile works on OS X 10.11 for both vanilla and our base build with out issues. I have tried recreating Configuration profile as well via Casper, same effect. Anyone else seen this?

I have tried this on a Sierra vanilla machine as well. Not sure if its a bug or not, Any thoughts?

10 REPLIES 10

drheiner
New Contributor III

Update, FYI to those that use this setting to disable the USB Mass storage devices:

This is currently a product issue with Jamf (PI-003021) and Apple regarding Configuration Profiles. A bug report has been generated.

JustDeWon
Contributor III

what about making it read only and/or require authentication. I am looking to upgrade to 9.96 next month, but I already have a feature request to enable FileVault2 on an external disk. It'll be ashamed if I couldn't at least have a different option until the Feature Request is possibly implemented.

drheiner
New Contributor III

Tried it with no effect, I have also filed a Radar/Bug Report with Apple regarding this. It does work on OS X 10.11 just not MacOS 10.12 Sierra.

ChupSuy
New Contributor III

We too face this issue and as a workaround we use a rather drastic approach.

We've now setup a policy to unload the actual driver upon Startup and Check-in..

!/bin/sh

kextunload -b com.apple.iokit.IOUSBMassStorageDriver
kextunload -b com.apple.driver.AppleSDXC

exit 0

Hope this helps anyone in need to disallow external storage on Sierra..

drheiner
New Contributor III

Good Suggestion, I created a Extension Attribute and a smart group to query those workstations that have it loaded (Below)to go along with your suggestion (Also created two policies), however this is still a kludgy way of doing it. This configuration profile setting needs to be fixed. Another way of doing this is during imaging time (Netboot if you use that) is to unload and move the Kext file out of the Extension folder

#!/bin/sh
# Extension Attributes Name: USB Mass Storage
# Version: v1
# Compiled: 10/10/2016
# Design For: MacOS 10.12
# Created By: Dan

gsusbmassstorage=`sudo kextstat |grep com.apple.iokit.IOUSBMassStorageDriver`
if [[ $gsusbmassstorage == "" ]]; then
    echo "<result>Unloaded</result>"
else
    echo "<result>Loaded</result>"
fi

bofh
New Contributor III

Are there any news on this?
The PI isnt listed on 9.97 as Fixed nor as Known issue. @drheiner Aswell as I even can't unload the extension on Sierra. @ChupSuy

bofh

gachowski
Valued Contributor II

I tested this manually on Sierra .2 and the current El Cap with clean OS install without any other software. The profile worked fine on El Cap and not at all on Sierra...

This is an Apple issue.. : )

C

drheiner
New Contributor III

To update, I filed a bug report with Apple (28495915) regarding this issue back in September 2016. Apple just got back to me and said this is resolved in MacOS 10.12.4 Beta patch. Here is their reply.....

"Apple Developer Relations26-Jan-2017 09:51 AM

We believe this issue has been resolved in the latest macOS 10.12.4 beta.

Please test with the latest beta. If you still have issues, please update your bug report with any relevant logs or information that could help us investigate.

macOS
https://developer.apple.com/download/"

I haven't tried the 10.12.4 beta yet, but it seems they fixed it. Jamf has also flag this as a issue - [D-009110] Configuration profiles with the Internal Disks: Allow option disabled do not prevent the use of memory cards.

bofh
New Contributor III

@drheiner Okay I'll test 10.12.4 beta tomorrow as we will need this feature in the near future :-)

bofh

franton
Valued Contributor III

I would delete and recreate your profile. I had to implement this and is working for me nicely.