Temporarily Enable USB for help desk support

user-FrOBUCXKms
New Contributor

We use the JAMF capability to disable the external USB write capability - the user can load and read, but not write - similar to here => https://www.jamf.com/jamf-nation/discussions/30979/disable-usb-storage-access

However, when a deskside technician is on a machine helping a user in person, that is exactly what we need to do, write to the USB drive they carry for logs, etc, sometimes a ton of data to take back and evaluate.

Is there a JAMF command we can execute or script we can write that enables USB writing immediately in that session, and then we can either turn back off or reboot and it resets it back to normal operation?

I'm getting requests from my deskside techs to provide this, and we're not sure how to do that other than a laborious process.

4 REPLIES 4

sdagley
Esteemed Contributor II

@user-FrOBUCXKms If you look at https://developer.apple.com/documentation/devicemanagement/mediamanagementallowedmedia you'll see that Apple has flagged MediaManagementAllowedMedia profile payload key as deprecated. I don't know if Big Sur has actually dropped support for it yet, but if this is the mechanism you're using to restrict access to USB devices in your environment, and that's a capability you require, now would be a good time to start looking for alternatives.

daniel_ross
Contributor III

@sdagley man I stumbled onto this post at the perfect time! We were just getting ready to use this org wide to block USB as we currently use this on wide range of dept based machines.

I wonder if anyone has found a solution long term for this that they are going to move to that has worked well?

jmariani
Contributor

Microsoft just announced support for USB device control. Have a look at https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/mac-updates-control-your-usb-...

walt
Contributor III

I know this is considered depreciated, but wanted to understand if it was expected behavior that when removing a USB write restriction config profile is a restart required or should the user be able to regain immediate read/write privileges to the USB device?