Help

USB Disk Encryption solution

Bernard_Huang
Contributor III

Posted on ‎04-09-2019 07:10 PM

Hi all,

Wonder if any of you have experience with this.

My end goal here is:
- If an un-encrypted USB thumb drive is inserted into a Macbook. It is read only.
- If a user is to copy files from the Macbook to the USB thumb drive, the disk must be encrypted, otherwise the copying function is not allowed.

I am reading other chats such as
https://www.jamf.com/jamf-nation/discussions/8306/eject-usb-if-its-not-encrypted
https://www.jamf.com/jamf-nation/discussions/21629/restrict-external-usb-devices-but-allow-encrypted-usb-devices , but by their own description of the script, the script will run every 15 minutes (check-in time), so there's plenty of time for someone to copy files out.

I think we would be happy with a solution that all USB thumb drives must be encrypted, otherwise the USB is not recognised at all.

Is there such a thing, or a software that can do that?

0 Kudos
6 REPLIES 6

sdagley
Esteemed Contributor II

Posted on ‎04-10-2019 08:29 AM

@Bernard.Huang I'm not aware of a product that does everything you want. McAfee's DLP (Data Loss Prevention) product will allow you to block write access to USB storage, and allows the user to request an access code that will give temporary write capability. McAfee's FRP (File and Removable media Protection) product will offer to encrypt USB thumb drive that are connected, but in the versions I've seen declining the prompt to encrypt the drive on the Mac leaves the drive writeable (the Windows version mounts the drive read only if encryption is declined).

0 Kudos

jconte
Contributor II

Posted on ‎04-10-2019 10:38 AM

We are using McAfee's DLP and it si working fine. We use AD groups to control the access and the application even let's you specifiy with down to the manufacturer and model you want to allow. Hope the helps.

0 Kudos

Bernard_Huang
Contributor III

Posted on ‎04-10-2019 10:49 PM

Thanks @sdagley and @jconte

Thanks for your inputs. Saves me a lot of time searching for something that don't exists :) For now forcing external media to be read-only within JAMF seems to be the best choice. Our company would rather upset our Macbook users than lose company's intellectual properties.

We do use DLP, but it's by Symantec, not McAfee. I thought DLP only monitors any files being transfered, it doesn't block it entirely.

0 Kudos

sdagley
Esteemed Contributor II

Posted on ‎04-11-2019 07:20 AM

@Bernard.Huang It's even more fun when you're contemplating using both the McAfee and Symantec DLP products because the Symantec tool doesn't offer USB restrictions like the McAfee one does, but your security team prefers the monitoring of Symantec. BTW, watch out for Symantec DLP caching files with the system protected flag. Apparently AutoDMG creating macOS images triggered DLP to cache many of the files for later evaluation, and since some of them have the system protected flag set they couldn't be deleted once cached. I lost about 80GB of storage to that little "feature" until I booted into Recovery mode and deleted the files.

0 Kudos

smpotter
New Contributor III

Posted on ‎04-11-2019 09:04 AM

In a past company I used and managed Endpoint Protector appliance. It worked really well since I was able to whitelist approved encrypted usb drives. The per the configurations anything whitelisted was set to Read/Write any other drive was Read Only... However you have control over creating your own policies though.

Endpoint Protector

0 Kudos

mani2care
Contributor

Posted on ‎12-02-2020 12:16 AM

Do we have any extension attribute to aware the USB blocked or not

0 Kudos