We've had a request from our security team to restrict access to usb ports on a mac mini used as a dashboard machine. So far we've removed the following kext files below to try and restrict access but have only been successful at preventing USB mice from connecting after a restart. If someone is familiar with the other kext files we need to remove to prevent USB keyboard access it would be much appreciated. Thanks in a advance!
mv /System/Library/Extensions/IOUSBMassStorageClass.kext /System/Library/Extensions/IOUSBMassStorageClass.kext.bk
mv /System/Library/Extensions/IOUSBAttachedSCSI.kext /System/Library/Extensions/IOUSBAttachedSCSI.kext.bk
mv /System/Library/Extensions/IOUSBFamily.kext /System/Library/Extensions/IOUSBFamily.kext.bk
mv /System/Library/Extensions/IOUSBHostFamily.kext /System/Library/Extensions/IOUSBHostFamily.kext.bk
mv /System/Library/Extensions/IOUSBMassStorageDriver.kext /System/Library/Extensions/IOUSBMassStorageDriver.kext.bk
mv /System/Library/Extensions/AppleUSBTopCase.kext/Contents/PlugIns/AppleUSBTCKeyboard.kext /System/Library/Extensions/AppleUSBTopCase.kext/Contents/PlugIns/AppleUSBTCKeyboard.kext.bk
Thanks @Person & @Bhughes. I looked at the restrictions configuration profile before and that was able to block bluetooth as one of our other requirements but from what I understand the media section only blocks certain peripherals and not all USB devices?
Thanks @htse I'll give those two kext files a shot.
I also use "Restrictions Payload" in Configuration Profile to lockdown access of USB and have had no issues. If you using the Mac mini as a Dashboard, it doesnt need access sort of Access even "Airdrop" to copy files off.
We have all the options unticked, since we have iMac's used as Build Monitors for developers to monitor Jenkin Pipeline Jobs etc
@janderson1 I hope if the profile1 is enabled the USB access & Profile 2 is disabled the USB access but the issue there are number of profiles with the above configuration to be witch one will be considered ?
so the issue is occurring because of Conflict
number of profile as like given below so need to be mergied the profiles.
i found the solution for the USB block -> Restriction compliance should be a one -> MDM profile allow once impact the machines -> if has more configuration profile it conflicting.
1) profile 1 -> Allowed the USB 2) Profile 2 ->Blocked USB it means which will accept the MAC so here conflicting the restriction validate the older restriction tab and make it one and push to end user machines workd perfect.