Jamf Nation Community

No needs to be using the JSS so either CP, MCX, or Scripted.

Prior to 10.11 you could disable hardware elements by removing their kext files. It was a bit of a hack and possible for someone to workaround if they knew what had been done and had admin rights, but it worked.

10.11 protects that kind of stuff so I've only been able to achieve it with tools like Sophos device control or endpoint protector.

That being said, you can restrict removable media via a config profile in Restrictions > Media > External Disks. Not sure if it would be sufficient but thats the only option I can think of.

Apple labels the SD Card as an Internal Storage Device as opposed to Removable Media (REALLY GUYS!!!!) The only way to do this via CP is to disable Internal Storage. We don't use secondary drive so we enabled it. I told our Apple Corp. Rep about this and he forwarded it to the OS team. Seems like a stupid oversight with huge management side effects.

Any other options? People here must be blocking this!!! Our kext blocking was working fine until Mavericks and with the changes in KEXT management in El Cap what options exist! Blocking the internal media via Configuration Policy blocks the SD reader but also makes some of our machines boot to Prohibitory or ? Folders. Please any help on this we are being dinged hard on our audit because of this. It seems crazy to me that this SD Card reader is like an evil unicorn.

I got around it by creating a custom script and launch agent.

They both sit at the computer level, and essentially check if the user is an admin or not. If they aren't the SD card will automatically unmount forcefully.

Thats the best method I have been able to come up with without going down the route of purchasing a 3rd party app to do it for me.

This is dirty but I've heard of people putting krazy glue in ports they want to block off. This ruins the aesthetics, but....

yup i suggested the exact same idea and the looks of horror....