Restrict external USB devices but allow encrypted USB devices

New Contributor II

Is there a way that will allow USB keyboard and mice to work, allow specific encrypted USB drives(2 specific hard drives and 2 specific USB thumb drives) but block everything else?


Contributor III

I know this is an old post but would be interested to know if you came up with a solution.

Looking at my own JSS, there's a policy that was created before I came on that looks like it ejects unencrypted USB devices:

#!/bin/bash -v
exec 2>&1

#Get the disk name

for disk in $(diskutil list | awk '/disk[1-9]s/{ print $NF }' | grep -v /dev); do
    if [[ $(diskutil info $disk | awk '/Protocol/{ print $2 }') == "USB" ]]; then
        echo "Device $disk is a USB removable disk"
        diskName=$(diskutil info $disk | awk -F"/" '/Mount Point/{ print $NF }')

        #If disk is encrypted
        isEncrypted=`diskutil cs info $disk 2>&1|grep "is not a CoreStorage disk"`
        if [ -z "$isEncrypted" ]; then
            echo "$disk is encrypted"
           # Eject the disk
            echo "$disk is NOT encrypted"
            diskutil unmountDisk $diskName

The downside is that it runs at Recurring Check-in, and is ongoing. So it's running a lot (and makes going through Policy logs for a computer kind of painful), and a user could potentially connect an unencrypted drive right after check-in and use it for about 15 minutes before it would be disconnected. Seems like a configuration profile would be a better option, but don't think there's anything that currently does it. I'd also thought about a launchagent (as per but haven't started actively looking into it yet.