USB Disk Encryption solution

@Bernard.Huang I'm not aware of a product that does everything you want. McAfee's DLP (Data Loss Prevention) product will allow you to block write access to USB storage, and allows the user to request an access code that will give temporary write capability. McAfee's FRP (File and Removable media Protection) product will offer to encrypt USB thumb drive that are connected, but in the versions I've seen declining the prompt to encrypt the drive on the Mac leaves the drive writeable (the Windows version mounts the drive read only if encryption is declined).

We are using McAfee's DLP and it si working fine. We use AD groups to control the access and the application even let's you specifiy with down to the manufacturer and model you want to allow. Hope the helps.

Thanks @sdagley and @jconte

Thanks for your inputs. Saves me a lot of time searching for something that don't exists :) For now forcing external media to be read-only within JAMF seems to be the best choice. Our company would rather upset our Macbook users than lose company's intellectual properties.

We do use DLP, but it's by Symantec, not McAfee. I thought DLP only monitors any files being transfered, it doesn't block it entirely.

@Bernard.Huang It's even more fun when you're contemplating using both the McAfee and Symantec DLP products because the Symantec tool doesn't offer USB restrictions like the McAfee one does, but your security team prefers the monitoring of Symantec. BTW, watch out for Symantec DLP caching files with the system protected flag. Apparently AutoDMG creating macOS images triggered DLP to cache many of the files for later evaluation, and since some of them have the system protected flag set they couldn't be deleted once cached. I lost about 80GB of storage to that little "feature" until I booted into Recovery mode and deleted the files.

In a past company I used and managed Endpoint Protector appliance. It worked really well since I was able to whitelist approved encrypted usb drives. The per the configurations anything whitelisted was set to Read/Write any other drive was Read Only... However you have control over creating your own policies though.

Endpoint Protector

Do we have any extension attribute to aware the USB blocked or not