Restricting USB Storage from all users

jcentineo
New Contributor

We are looking to restrict the use of all USB external storage for our users. I made a Configuration Profile with a Restriction payload that has all types of hard disk media access unchecked. On the Macs that are in the scope, the policy only works for those with standard level access, admins can still use USB drives. Is there a way to have it apply to the machine as a whole, regardless of the user level?

1 ACCEPTED SOLUTION

seanjsgallagher
Contributor

We needed to do the same at my place. I used a configuration profile and checked the boxes for Allow and read only. This has worked for us and all of my users are admins and can not write to any removable media.aaa72718135c4e2094f9f19411e001fc

View solution in original post

6 REPLIES 6

jared_f
Valued Contributor

I use this Apple Script which I found a while back for personal use. I created it as an application on my dock so when I have to run from my desk and I have external drives connected to my desktop I can quickly eject them without having to drag each one to the trash. You could some how use this as a policy (sorta like restricted software). Hope this helps.

tell application "Finder" to eject (every disk whose ejectable is true and local volume is true and free space is not equal to 0)

seanjsgallagher
Contributor

We needed to do the same at my place. I used a configuration profile and checked the boxes for Allow and read only. This has worked for us and all of my users are admins and can not write to any removable media.aaa72718135c4e2094f9f19411e001fc

jcentineo
New Contributor

@Seangallagher I thought by unchecking allow that would then mean it would be denied. I checked the options just as you showed and it works perfect now. Thanks!

mani2care
Contributor

I tried and work one time and after reboot still the same able to access the USB id not no is it works well and some time is blocking as read-only

Mack-OODA
New Contributor II

I found another way - Using a launchdaemon and an osascript command.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>EnvironmentVariables</key>
    <dict>
        <key>PATH</key>
        <string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Applications/VMware Fusion.app/Contents/Public:/usr/local/sbin:/Library/Apple/usr/bin:/Applications/Privileges.app/Contents/Resources</string>
    </dict>
    <key>KeepAlive</key>
    <dict>
        <key>Crashed</key>
        <true/>
        <key>SuccessfulExit</key>
        <true/>
    </dict>
    <key>Label</key>
    <string>Unmount USB</string>
    <key>ProcessType</key>
    <string>Background</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/bin/osascript</string>
        <string>-e</string>
        <string>tell application "Finder" to eject (every disk whose ejectable is true)</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>StartInterval</key>
    <integer>10</integer>
    <key>StartOnMount</key>
    <true/>
    <key>ThrottleInterval</key>
    <integer>5</integer>
</dict>
</plist>

sgiesbrecht
Contributor III

@Mack-OODA I am fairly new to the launchdaemon side.  How would I get this setup?