Restrict USB Storage Devices for All Users Except for a Specific Local Admin Account

New Contributor II


I tried to do research about this and was unable to get the information we needed.

at first the requirement is to disable USB storage for all users, and looking at the available option under JSS we have the "Restriction" payload but it has a bunch of other stuff that needs to be managed as well even though we don't need it.

so basically, we only want to touch ONLY the USB storage restriction and as per checking the best way to go to is to use the "Custom" payload but there are other requirements that makes this harder for me to configure.

i am hoping someone can help me get this configured properly.

the idea for the setup will be as follows:

  1. Retrict USB storage access on all macs for ALL users
  2. Allow Authentication to get USB Access available
  3. the Authentication should work ONLY for a Specified Local Admin Account which is created for the USB access purpose only (even if there are other Admin accounts, only 1 will be accepted when used to authenticate).

Please help, your inputs and suggestions are truly appreciated. thank you! :)

NOTE: i first tried to do my research first before posting which took me 2weeks and to no avail. i hope i can get more info.


Contributor III

this is complex. I'm sure it can be done but will take some creative thinking. I think a way to do it is have a self service app, scoped to a signed in ldap/sso group that creates a local file e.g /tmp/allowUSB then runs a recon. In your inventory you have an ext attribute that reads this and sets yes/no based on its existence. A smart group would be scoped to this EA value. Your profile to block USB has the smartgroup as an Exclusion.
so this should, if apns works remove the profile and allow usb.
You then need to remove the file and run another inventory to reverse it.

As for only one local admin account I don't think that's possible but this is more flexible as it only needs a valid ldap/sso account to work and can be used locally and under remote control

New Contributor II

@marklamont thank you for the response, i appreciate it.

may i also ask, do you know how to mimic the restriction payload for the storage media specifically for external storage with authentication checked?

i plan to use the custom payload and apply the external USB media restriction with authentication enabled. thank you! :)

Honored Contributor

I have not tested this in years so no idea if this still even works, but at one point macOS did allow local admin to override management settings. I know it has existed post MCX and during MDM, but I have no idea how viable or supported it is now. I think Admins can log in and hold shift down to bypass management, which technically might allow them to bypass USB media restrictions.

New Contributor II

@tlarkin i'll definetly try that one. thank you! :)