Jamf Nation Community

Bernard_Huang · ‎04-09-2019

Hi all,

Wonder if any of you have experience with this.

My end goal here is:
- If an un-encrypted USB thumb drive is inserted into a Macbook. It is read only.
- If a user is to copy files from the Macbook to the USB thumb drive, the disk must be encrypted, otherwise the copying function is not allowed.

I am reading other chats such as
https://www.jamf.com/jamf-nation/discussions/8306/eject-usb-if-its-not-encrypted
https://www.jamf.com/jamf-nation/discussions/21629/restrict-external-usb-devices-but-allow-encrypted-usb-devices , but by their own description of the script, the script will run every 15 minutes (check-in time), so there's plenty of time for someone to copy files out.

I think we would be happy with a solution that all USB thumb drives must be encrypted, otherwise the USB is not recognised at all.

Is there such a thing, or a software that can do that?

sdagley · ‎04-10-2019

@Bernard.Huang I'm not aware of a product that does everything you want. McAfee's DLP (Data Loss Prevention) product will allow you to block write access to USB storage, and allows the user to request an access code that will give temporary write capability. McAfee's FRP (File and Removable media Protection) product will offer to encrypt USB thumb drive that are connected, but in the versions I've seen declining the prompt to encrypt the drive on the Mac leaves the drive writeable (the Windows version mounts the drive read only if encryption is declined).

jconte · ‎04-10-2019

We are using McAfee's DLP and it si working fine. We use AD groups to control the access and the application even let's you specifiy with down to the manufacturer and model you want to allow. Hope the helps.

Bernard_Huang · ‎04-10-2019

Thanks @sdagley and @jconte

Thanks for your inputs. Saves me a lot of time searching for something that don't exists :) For now forcing external media to be read-only within JAMF seems to be the best choice. Our company would rather upset our Macbook users than lose company's intellectual properties.

We do use DLP, but it's by Symantec, not McAfee. I thought DLP only monitors any files being transfered, it doesn't block it entirely.

sdagley · ‎04-11-2019

@Bernard.Huang It's even more fun when you're contemplating using both the McAfee and Symantec DLP products because the Symantec tool doesn't offer USB restrictions like the McAfee one does, but your security team prefers the monitoring of Symantec. BTW, watch out for Symantec DLP caching files with the system protected flag. Apparently AutoDMG creating macOS images triggered DLP to cache many of the files for later evaluation, and since some of them have the system protected flag set they couldn't be deleted once cached. I lost about 80GB of storage to that little "feature" until I booted into Recovery mode and deleted the files.

smpotter · ‎04-11-2019

In a past company I used and managed Endpoint Protector appliance. It worked really well since I was able to whitelist approved encrypted usb drives. The per the configurations anything whitelisted was set to Read/Write any other drive was Read Only... However you have control over creating your own policies though.

Endpoint Protector

mani2care · ‎12-02-2020

Do we have any extension attribute to aware the USB blocked or not

Jamf Nation Community

USB Disk Encryption solution