Restrictions Hard Disk Media Access

jimmy-swings
Contributor II

I've been playing around with various restriction options with media. Selecting the option Require Authentication prompts the user to enter admin credentials in order to mount media. I've also found that a standard user gets prompted to mound the EFI volume.

Can anyone share their experience with media restrictions and maybe the options they use in a standard user environment?

15 REPLIES 15

AVmcclint
Honored Contributor

My nightmare experience with restricting media involved checking the box for Internal Media as Read-only. This meant that the EFI partition became read-only to the OS and caused kernel panics when waking FileVault Macs from sleep. This was a royal pain for me for about 9 months until I realized that one checkbox caused the whole thing. I would suggest not modifying the settings for Internal Media because it will have unintended results like getting prompted to mount the EFI partition.

Limiting access to external media works fine for me. I have a separate Config Profile built just for this purpose because there are times when a user could have a legit reason to write to a USB stick and it's easy enough for me to remove the config profile, reboot, and let them do what they need to, then re-add it when they are done.

davegfmg17
New Contributor

Is this config profile available to be shared here? I'd like to be able to try it out.

sdagley
Esteemed Contributor II

@AVmcclint Did you create a Configuration Profile that was limited to just restricting Media, specifically harddisk-external to read-only? If so, could you share that process? And/Or the profile itself?

I know I've seen a discussion on this in the past, but at the time it wasn't something I ever though I'd need, and now I haven't been able to re-find the discussion. This thread popped up as a suggestion when I went to create a new discussion topic asking about it though.

AVmcclint
Honored Contributor

Here is the config profile I made for restricting media. There's nothing else in the payload other than what you see here.
c700197b44674099ad3d93c7695e7b7d

sdagley
Esteemed Contributor II

@AVmcclint Unfortunately if you're using the Jamf GUI to build your Configuration Profile with a Restrictions payload, then every Restrictions configuration setting will be applied. What I'm looking for is a way to set only the Media part of the Restrictions payload.

sshort
Valued Contributor

@sdagley You can use ProfileCreator to craft the specific media restrictions you want, then upload to Jamf as a custom mobileconfig.

88e5e55a78154822b47db88432dcf6c9

sdagley
Esteemed Contributor II

@sshort Thanks! I think ProfileCreator was the tool I'd seen discussed before, and it definitely does what I wanted. Just make sure to sign the .mobileconfig it creates otherwise Jamf Pro will mangle it.

mani2care
Contributor

not working once blocked after reboot working again 9204d368277240ba8a15602bf0bbe9ee
not blocking the usb

AVmcclint
Honored Contributor

@mani2care You're setting Internal disks to Read-Only. This is what caused all our kernel panics. You may want to re-evaluate that choice on yours.

martinking
New Contributor

@AVmcclint Is there a way to limit write access to external drives/pen drives/USB sticks by checking if they are encrypted?

MatG
Contributor III

@martinking we were asked to limit access with enforced encryption but could not find a solution. I approached our Apple Engineer and with enough coding and possibly a 3rd party tool it could be possible!

mani2care
Contributor

@AVmcclint I observed issue because of profile conflict
Profile 1, USB blocked.
Profile 2,USB Not blocked.

to be running 2 profile same time witch one will work & observed its conflicting.
one time will be blocked another reboot will not be blocked.

any solution for this

AVmcclint
Honored Contributor

If you have 2 separate profiles for managing your disk access on the same machines, I think your solution is to unify them into a single profile.

JJL
New Contributor

Sorry to be ressing an old thread, @mani2care we're doing something similar. And running into the described issue, "undefined response" aka some users are blocked from access while others are not.

@AVmcclint Previously we had a single Restrictions Config Profile that dealt with iCloud lockdown. Recently our SEC team has asked us to lock down USB drives "External Drives" completely.

Iteration 1 - disallow External Disks on our main restriction config profile "Restrictions iCloud"
Outcome - chaos, several users were in exception groups to grant iCloud access, now they are also exempt from USB lockout. Then strange cases of users data being auto migrated to iCloud container when it was disallowed on their machines, none of this appeared in testing.

Iteration 2 - Allow External Disks on "Restrictions iCloud" config profile (CP), create 2nd CP "Restriction(USB)" disallow access, create 3rd CP "Restriction(USB)(Read-Only)" allow read-only. Apply the 1st and 2nd to all users, then based off requirements or approvals exclude users from the 2nd and add them to the 3rd, and if reason arises for someone to have full access + approval exclude them from the 3rd as well.
Outcome - better than chaos, infact it appears to work. However in testing we discovered that adding sanctions requires a reboot, while lifting sanctions does not. Then we wondered if this was a result of the iCloud policy still marking External as "Allow" conflicting with the "RestrictionUSB" disallow policy.

which leads us to Iteration 3 - same as above but disable External Storage completely in the iCloud policy (even thought its checked by default in config profiles where restrictions have been "configured" even if that means the admin just clicked the button but made no other changes. Which led me to check all our config profiles to confirm there were no other conflicts.

I guess what I'm getting at is while multiple policies affecting the same machine may duke it out for supremity, what happens if we try to tailor it, so most users get column a+b while a few get just b or a+c or just a, but nobody gets b and c together, and if a has no configuration to compete with it should work right?

I'll report back :)

7fc7484f49a54921b62af47937a1c0cd

RLR
Valued Contributor

We're being asked to remove the auto-run feature from usbs/cd/dvds but I can't seem to find this feature on MAC OS or Jamf. Anyone know where I might find this setting (if possible)?