Media Restrictions on Big Sur

Polybius
New Contributor III

Although I know the settings are depreciated for Big Sur, I have a profile installed with Allow on the Media Restrictions section. This is because I still have Catalina machines in use however when I check the profile in System Preferences on a Big Sur machine, it shows Deny for all mount rules. I'm guessing this is why I can't mount any external USB drives. When I move the computer to another site that doesn't have that profile, I can mount USB drives again. Anybody know how I can fix this?

1 ACCEPTED SOLUTION

Polybius
New Contributor III

I believe I figured it out. I had another policy with restrictions on just one tab (lock the background) but since I didn't explicitly select Allow on the Media tab, it defaults to deny and overwrites my other policies. The default should be allow! I shouldn't have to go allow things on other tabs just because I want to restrict one thing.

View solution in original post

3 REPLIES 3

brianmcbride99
Contributor II

Can you create a new Smart Computer group for your Big Sur machines and then exclude that group from the profile with the restrictions?

I could do that but I have other restriction on that profile that I want to apply. Seems like the default setting for those media restrictions should be Deny and not Allow. If I make a new profile with some restrictions and I don't specifically click Allow for the Media Restrictions, won't they be Denied by default? I also have a new problem now however. I changed the profile to apply at User Level and it still applies at the computer level. And even though it is denying USB drives, it appears that not all the restrictions are applied even though the profile appears to be applied at the computer level (I still have all System Preferences when most should be blocked). I have the scope set to all computers for the site and I have limitations for a specific domain user while I include a local admin user in the exclusion list. It was working at first (only applying at the User Level) but it's not doing it now. I love the idea of Jamf but I also hate it so much sometimes. I hate automagically configured things because it doesn't always *just* work.

Polybius
New Contributor III

I believe I figured it out. I had another policy with restrictions on just one tab (lock the background) but since I didn't explicitly select Allow on the Media tab, it defaults to deny and overwrites my other policies. The default should be allow! I shouldn't have to go allow things on other tabs just because I want to restrict one thing.