Jamf Nation Community

Is this config profile available to be shared here? I'd like to be able to try it out.

@AVmcclint Did you create a Configuration Profile that was limited to just restricting Media, specifically harddisk-external to read-only? If so, could you share that process? And/Or the profile itself?

I know I've seen a discussion on this in the past, but at the time it wasn't something I ever though I'd need, and now I haven't been able to re-find the discussion. This thread popped up as a suggestion when I went to create a new discussion topic asking about it though.

Here is the config profile I made for restricting media. There's nothing else in the payload other than what you see here.

@AVmcclint Unfortunately if you're using the Jamf GUI to build your Configuration Profile with a Restrictions payload, then every Restrictions configuration setting will be applied. What I'm looking for is a way to set only the Media part of the Restrictions payload.

@sdagley You can use ProfileCreator to craft the specific media restrictions you want, then upload to Jamf as a custom mobileconfig.

@sshort Thanks! I think ProfileCreator was the tool I'd seen discussed before, and it definitely does what I wanted. Just make sure to sign the .mobileconfig it creates otherwise Jamf Pro will mangle it.

not working once blocked after reboot working again
not blocking the usb

@mani2care You're setting Internal disks to Read-Only. This is what caused all our kernel panics. You may want to re-evaluate that choice on yours.

@AVmcclint Is there a way to limit write access to external drives/pen drives/USB sticks by checking if they are encrypted?

@martinking we were asked to limit access with enforced encryption but could not find a solution. I approached our Apple Engineer and with enough coding and possibly a 3rd party tool it could be possible!

@AVmcclint I observed issue because of profile conflict
Profile 1, USB blocked.
Profile 2,USB Not blocked.

to be running 2 profile same time witch one will work & observed its conflicting.
one time will be blocked another reboot will not be blocked.

any solution for this

If you have 2 separate profiles for managing your disk access on the same machines, I think your solution is to unify them into a single profile.

Sorry to be ressing an old thread, @mani2care we're doing something similar. And running into the described issue, "undefined response" aka some users are blocked from access while others are not.

@AVmcclint Previously we had a single Restrictions Config Profile that dealt with iCloud lockdown. Recently our SEC team has asked us to lock down USB drives "External Drives" completely.

Iteration 1 - disallow External Disks on our main restriction config profile "Restrictions iCloud"
Outcome - chaos, several users were in exception groups to grant iCloud access, now they are also exempt from USB lockout. Then strange cases of users data being auto migrated to iCloud container when it was disallowed on their machines, none of this appeared in testing.

Iteration 2 - Allow External Disks on "Restrictions iCloud" config profile (CP), create 2nd CP "Restriction(USB)" disallow access, create 3rd CP "Restriction(USB)(Read-Only)" allow read-only. Apply the 1st and 2nd to all users, then based off requirements or approvals exclude users from the 2nd and add them to the 3rd, and if reason arises for someone to have full access + approval exclude them from the 3rd as well.
Outcome - better than chaos, infact it appears to work. However in testing we discovered that adding sanctions requires a reboot, while lifting sanctions does not. Then we wondered if this was a result of the iCloud policy still marking External as "Allow" conflicting with the "RestrictionUSB" disallow policy.

which leads us to Iteration 3 - same as above but disable External Storage completely in the iCloud policy (even thought its checked by default in config profiles where restrictions have been "configured" even if that means the admin just clicked the button but made no other changes. Which led me to check all our config profiles to confirm there were no other conflicts.

I guess what I'm getting at is while multiple policies affecting the same machine may duke it out for supremity, what happens if we try to tailor it, so most users get column a+b while a few get just b or a+c or just a, but nobody gets b and c together, and if a has no configuration to compete with it should work right?

I'll report back :)

We're being asked to remove the auto-run feature from usbs/cd/dvds but I can't seem to find this feature on MAC OS or Jamf. Anyone know where I might find this setting (if possible)?