I know this is an old post but would be interested to know if you came up with a solution.
Looking at my own JSS, there's a policy that was created before I came on that looks like it ejects unencrypted USB devices:
#!/bin/bash -v
exec 2>&1
#Get the disk name
#Tmhoule
for disk in $(diskutil list | awk '/disk[1-9]s/{ print $NF }' | grep -v /dev); do
if [[ $(diskutil info $disk | awk '/Protocol/{ print $2 }') == "USB" ]]; then
echo "Device $disk is a USB removable disk"
diskName=$(diskutil info $disk | awk -F"/" '/Mount Point/{ print $NF }')
#If disk is encrypted
isEncrypted=`diskutil cs info $disk 2>&1|grep "is not a CoreStorage disk"`
if [ -z "$isEncrypted" ]; then
echo "$disk is encrypted"
else
# Eject the disk
echo "$disk is NOT encrypted"
diskutil unmountDisk $diskName
fi
fi
done
The downside is that it runs at Recurring Check-in, and is ongoing. So it's running a lot (and makes going through Policy logs for a computer kind of painful), and a user could potentially connect an unencrypted drive right after check-in and use it for about 15 minutes before it would be disconnected. Seems like a configuration profile would be a better option, but don't think there's anything that currently does it. I'd also thought about a launchagent (as per https://stackoverflow.com/questions/7240117/execute-an-application-on-mac-os-x-when-a-particular-typ...) but haven't started actively looking into it yet.
