Jamf Nation Community

Sounds fun! We're going through a security audit too.... I @Pearson has a good thought here.... I think this would work.

You may fare better with AppleHIDKeyboard.kext and AppleHIDMouse.kext. AppleUSBTopCase.kext applies more to MacBook-esque systems with Top Cases.

Thanks @Person & @Bhughes. I looked at the restrictions configuration profile before and that was able to block bluetooth as one of our other requirements but from what I understand the media section only blocks certain peripherals and not all USB devices?

Thanks @htse I'll give those two kext files a shot.

Chopping out kexts is going to cause difficulty with the OS, particularly in 10.11 and SIP.

I would probably use EndpointProtector for this type of thing.

http://endpointprotector.com

Thanks @davidacland from reading the description of EndpointProtector it looks like this just targets USB storage media. Have you used this product before and locked down the USB ports completely?

So i couldn't get the above screen shot to work. Could anyone? USB still has write to it.

@jalcorn The config profile always worked for me in 10.10 and 10.11 but didn't take effect until after a reboot. We blocked USB storage altogether, didn't try just restricting writes. I assume you are choosing "Read-Only".

Is this config profile payload still the gold standard for locking down USB ports on 10.13?

I also use "Restrictions Payload" in Configuration Profile to lockdown access of USB and have had no issues. If you using the Mac mini as a Dashboard, it doesnt need access sort of Access even "Airdrop" to copy files off.

We have all the options unticked, since we have iMac's used as Build Monitors for developers to monitor Jenkin Pipeline Jobs etc

I have tried with JAMF by doing the USB -Read-only but once worked me and after reboot the machine still working there is no use is it working

Same happens for me @mani2care Did you find a solution for this?

@janderson1 I hope if the profile1 is enabled the USB access & Profile 2 is disabled the USB access but the issue there are number of profiles with the above configuration to be witch one will be considered ?

so the issue is occurring because of Conflict number of profile as like given below so need to be mergied the profiles.

i found the solution for the USB block -> Restriction compliance should be a one -> MDM profile allow once impact the machines -> if has more configuration profile it conflicting.
1) profile 1 -> Allowed the USB 2) Profile 2 ->Blocked USB it means which will accept the MAC so here conflicting the restriction validate the older restriction tab and make it one and push to end user machines workd perfect.

but is there any way to know the extension attribute to aware the USB blocked or not