Help

Restricting USB Storage from all users

Go to solution
jcentineo
New Contributor

Posted on ‎01-20-2017 12:15 PM

We are looking to restrict the use of all USB external storage for our users. I made a Configuration Profile with a Restriction payload that has all types of hard disk media access unchecked. On the Macs that are in the scope, the policy only works for those with standard level access, admins can still use USB drives. Is there a way to have it apply to the machine as a whole, regardless of the user level?

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
seanjsgallagher
Contributor

Posted on ‎01-23-2017 10:20 AM

We needed to do the same at my place. I used a configuration profile and checked the boxes for Allow and read only. This has worked for us and all of my users are admins and can not write to any removable media.aaa72718135c4e2094f9f19411e001fc

View solution in original post

Reply
6 REPLIES 6

Go to solution
jared_f
Valued Contributor

Posted on ‎01-21-2017 09:38 AM

I use this Apple Script which I found a while back for personal use. I created it as an application on my dock so when I have to run from my desk and I have external drives connected to my desktop I can quickly eject them without having to drag each one to the trash. You could some how use this as a policy (sorta like restricted software). Hope this helps. 

tell application "Finder" to eject (every disk whose ejectable is true and local volume is true and free space is not equal to 0)
0 Kudos
Reply

Go to solution
seanjsgallagher
Contributor

Posted on ‎01-23-2017 10:20 AM

We needed to do the same at my place. I used a configuration profile and checked the boxes for Allow and read only. This has worked for us and all of my users are admins and can not write to any removable media.aaa72718135c4e2094f9f19411e001fc

Reply

Go to solution
jcentineo
New Contributor

Posted on ‎02-15-2017 09:46 AM

@Seangallagher I thought by unchecking allow that would then mean it would be denied. I checked the options just as you showed and it works perfect now. Thanks!

0 Kudos
Reply

Go to solution
mani2care
Contributor

Posted on ‎08-28-2019 08:56 AM

I tried and work one time and after reboot still the same able to access the USB id not no is it works well and some time is blocking as read-only

0 Kudos
Reply

Go to solution
Mack-OODA
New Contributor II

Posted on ‎05-12-2021 07:28 AM

I found another way - Using a launchdaemon and an osascript command. 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>EnvironmentVariables</key>
    <dict>
        <key>PATH</key>
        <string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Applications/VMware Fusion.app/Contents/Public:/usr/local/sbin:/Library/Apple/usr/bin:/Applications/Privileges.app/Contents/Resources</string>
    </dict>
    <key>KeepAlive</key>
    <dict>
        <key>Crashed</key>
        <true/>
        <key>SuccessfulExit</key>
        <true/>
    </dict>
    <key>Label</key>
    <string>Unmount USB</string>
    <key>ProcessType</key>
    <string>Background</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/bin/osascript</string>
        <string>-e</string>
        <string>tell application "Finder" to eject (every disk whose ejectable is true)</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>StartInterval</key>
    <integer>10</integer>
    <key>StartOnMount</key>
    <true/>
    <key>ThrottleInterval</key>
    <integer>5</integer>
</dict>
</plist>
0 Kudos
Reply

Go to solution
sgiesbrecht
Contributor III

Posted on ‎01-26-2022 11:38 AM

@Mack-OODA I am fairly new to the launchdaemon side.  How would I get this setup?

 

0 Kudos
Reply