Jamf Nation Community

sean · ‎05-25-2012

Anybody using Managed Preferences to either prevent access or use read-only access for external drives?

I've tried testing this, but my experience appears to be:

Lion
Works as long as it isn't fat formatted

Snow Leopard

Deny Access: Works as long as it isn't fat formatted.

Read Only:
read-only for HFS. After using a fat formatted external drive, which ignores the mcx itself, any subsequent use of HFS external drives are now read/write as well.

Anyone confirm/deny this experience? If it can't handle DOS formatted, then it's pointless configuring any of this for external drives.

Thanks

Sean

sean · ‎05-31-2012

Hey, realise you're trying to help ;)

Many USB pen drives come supplied with no Volume Name. I've quickly written this. It ain't the neatest but it'll do for now. Just create a launchd plist with a watch path of /Volumes

#!/bin/bash

###########################################################################################################
#######################################   F R A M E S T O R E   ###########################################
###########################################################################################################

## Media Access rules broken by devices with no name.  Eject any drives inserted if configured with no name

###########################################################################################################
##########################         V E R S I O N    C O N T R O L        ##################################
###########################################################################################################

## Sean Holden  - originating author , [v1.0], [30-05-2012]

## V [version number] - [change made] - [user who made changes] - [date]


###########################################################################################################
############################           S C R I P T   S T A R T           ##################################
###########################################################################################################

ls -1 /Volumes/ | grep Untitled | while read line
do
        driveName=`diskutil info /Volumes/"$line" | grep "Volume Name:" | cut -d ":" -f 2  | sed 's/^[ 	]*//;s/[ 	]*$//'`

        if [[ "$driveName" == "" ]]
        then
                diskutil umount force /Volumes/"$line"
                logger -t $0 "/Volumes/$newDrive was automatically ejected.  It has no name and is not allowed to be used in the company with this configuration"
        fi
done

View solution in original post

sean · ‎06-07-2012

Haha, yeah it doesn't. Logging will be incorrect, but everything else will work fine. Change that to

logger -t $0 "/Volumes/$line...

View solution in original post

talkingmoose · ‎05-25-2012

I posted my MCX settings earlier for denying access or requiring administrator access to mounting external media using com.apple.systemuiserver.

Format doesn't seem to come into play from what I've seen. Just tested a FAT-formatted USB drive on Lion and this works as expected.

If you've added the "authenticate" string to any of the keys then Standard users will be prompted for admin credentials but admins will automatically mount the media. Otherwise, everyone is denied access.

sean · ‎05-28-2012

Yup, I noticed that authenticate worked, but I admit I didn't test read-only/read write when I tried authenticate, so I don't know if using FAT and then HFS made any difference (guess I'll try that next).

However, that will defeat the point of the exercise. We'd only want to set read-only or deny. We wont want users continually calling up to say can we authenticate their drive.

sean · ‎05-28-2012

Haha!

So I've tried a wider selection of USB drives. I now have some FAT drives that break the rules and some that don't break the rules. Yet to find a HFS drive that doesn't obey the rules and yet to test firewire!

Adding authentication doesn't make any difference to read/write, but the same drives that don't obey the rules of read/write, also don't obey the rules of authentication, they just mount!

Supertastic! Well done Apple.

sean · ‎05-28-2012

Worked out the problem and have submitted a bug report. You may be able to test this to confirm.

Plug in a USB device that has no name. I'm gonna guess you're going to see the same thing, that it disobeys the mcx media access settings.

Name the drive and all good.

Of course, without a fix (we are still being forced to run Snow Leopard, so even if Apple provide a bug fix...), if the company want me to implement this, then I guess I'll be writing a launchd process to automatically eject drives that have no name!

I'll be surprised if no one has ever submitted this before. Guess I'll see if Apple own up to knowing about it or not when I get the reply.

Of course, if you are already using and relying on Media Access, you might want to test this and think about providing a temp fix or waiting for an update from Apple!

talkingmoose · ‎05-28-2012

Sounds like you're reporting this is broken in Lion. Correct?

I'm only managing Snow Leopard machines with these settings.

talkingmoose · ‎05-28-2012

Sounds like you're reporting this is broken in Lion. Correct? I'm only managing Snow Leopard machines with these settings.

Need to modify that a little:

I'm only managing Snow Leopard machines but my testing with Lion worked fine. From what I see these MCX settings don't enable read-only access. In my scenario I get either administrator access or no access depending on my settings. Even in Workgroup Manager I don't see an option for read-only.

What are you trying to use for that?

sean · ‎05-29-2012

Workgroup Manager > Preferences > Media Access > Other Media

Choices:
Allow, Require Auth, Read-Only

Available Snow Leopard and Lion

talkingmoose · ‎05-29-2012

Ugh. You're not gonna like that I keep saying "works for me!" Or maybe you will.

Lion/read-only
FAT - Works as expected
HFS - Works as expected
Unformatted - Allows me to format but then won't mount at all (Good 'nuff for me)

I tested with FAT, HFS+ (Journaled) and unformatted USB thumb drives and HFS+ (Journaled) firewire drive.

A few things I found during my troubleshooting:

Run "jamf mcx" on the machine and verify you don't receive an error message about this specific preference. I received an error when I had accidentally left out an "<array>" tag.
Open System Profiler and select Managed Client on the left. Do your settings there match those you see in the JSS?
The "read-only" preference seems to be mutually exclusive from "authenticate" and "eject". Verify you haven't added "authenticate" to the array when using "read-only".

Following is what I'm using in the "Value" field for the "mount-controls" key:

<dict>
    <key>blankcd</key>
    <array>
        <string>authenticate</string>
        <string>eject</string>
    </array>
    <key>blankdvd</key>
    <array>
        <string>authenticate</string>
        <string>eject</string>
    </array>
    <key>cd</key>
    <array/>
    <key>disk-image</key>
    <array>
        <string>read-only</string>
    </array>
    <key>dvd</key>
    <array/>
    <key>harddisk-external</key>
    <array>
        <string>read-only</string>
    </array>
    <key>harddisk-internal</key>
    <array/>
</dict>

Thanks for the "read-only" value. I hadn't found it. It'll come in handy for one group I manage.

sean · ‎05-30-2012

Dude, I have both FAT and HFS working.

However, try a drive that has no name, hence it will come up as Untitled and if you do a diskutil there is no Volume Name. eg:

diskutil info /Volumes/Untitled/
   Device Identifier:        disk4s1
   Device Node:              /dev/disk4s1
   Part Of Whole:            disk4
   Device / Media Name:      Untitled 1

   Volume Name:              
   Escaped with Unicode:   

   Mounted:                  Yes
   Mount Point:              /Volumes/Untitled
   Escaped with Unicode:     /Volumes/Untitled

   File System:              MS-DOS FAT16
   Type:                     msdos
   Name:                     MS-DOS (FAT16)
...

Drives with no name are the problem on both Snow Leopard and Lion!

If that works for you, then feel free to come back with 'Works for me"

talkingmoose · ‎05-30-2012

Dude, I'm just trying to help. :-) I have a need to apply similar settings in my environment so I want to understand this issue too.

You said this problem affected a device "that has no name".

I couldn't select any disk (FAT or HFS) disk in the Finder and delete its name. I couldn't use Disk Utility to format a disk and not give it a name, even if just "UNTITLED". I had a co-worker format a USB device on her Windows computer and it still came across as "NO NAME" on my Mac.

My conclusion then was you meant an unformatted disk. In my results that's why I said "Unformatted - Allows me to format but then won't mount at all (Good 'nuff for me)".

With a lot of trial and error I was able to reproduce the "no name" issue you displayed with diskutil in your most recent post. I had to do exactly the following:

Use Mac OS X 10.7. (Haven't tested 10.6.)
Insert a FAT formated device.
Rename the device in the Finder with a space.
Eject the device.
Insert the device. It reappears in the Finder as "Untitled" but in diskutil with no volume name.

After jumping through those hoops I could reproduce the behavior you described.

How you came across multiple devices that were renamed that way I have no clue.

sean · ‎05-31-2012

Hey, realise you're trying to help ;)

Many USB pen drives come supplied with no Volume Name. I've quickly written this. It ain't the neatest but it'll do for now. Just create a launchd plist with a watch path of /Volumes

#!/bin/bash

###########################################################################################################
#######################################   F R A M E S T O R E   ###########################################
###########################################################################################################

## Media Access rules broken by devices with no name.  Eject any drives inserted if configured with no name

###########################################################################################################
##########################         V E R S I O N    C O N T R O L        ##################################
###########################################################################################################

## Sean Holden  - originating author , [v1.0], [30-05-2012]

## V [version number] - [change made] - [user who made changes] - [date]


###########################################################################################################
############################           S C R I P T   S T A R T           ##################################
###########################################################################################################

ls -1 /Volumes/ | grep Untitled | while read line
do
        driveName=`diskutil info /Volumes/"$line" | grep "Volume Name:" | cut -d ":" -f 2  | sed 's/^[ 	]*//;s/[ 	]*$//'`

        if [[ "$driveName" == "" ]]
        then
                diskutil umount force /Volumes/"$line"
                logger -t $0 "/Volumes/$newDrive was automatically ejected.  It has no name and is not allowed to be used in the company with this configuration"
        fi
done

sean · ‎05-31-2012

I created an Apple Bug Report, classed as a Security bug. Maybe you'd like to do the same. Thanks for persevering, glad you where able to confirm the bug.

talkingmoose · ‎05-31-2012

Reported. And your script has been duly swiped.

sean · ‎05-31-2012

:-)

mm2270 · ‎05-31-2012

Nice script sean. I'll keep it in mind if I ever need to use something like that.
One question though - where does the variable "$newDrive" get assigned in your script? I see you calling it in line 29, but I don't see anywhere in the script where you've set that. It likely wouldn't cause any issues, but I was just wondering.

sean · ‎06-01-2012

line 24

driveName=`diskutil info /Volumes/"$line" | grep "Volume Name:" | cut -d ":" -f 2  | sed 's/^[ 	]*//;s/[ 	]*$//'`

mm2270 · ‎06-01-2012

Yeah, I saw that, but $driveName != $newDrive, unless I'm completely overlooking something.
Never mind though, its not that important really.

sean · ‎06-07-2012

Haha, yeah it doesn't. Logging will be incorrect, but everything else will work fine. Change that to

logger -t $0 "/Volumes/$line...

Jamf Nation Community

Media Access with MCX