Jamf Nation Community

Hi,
We have a Policy set in jamf for OSX to disable external drives. We have a
network drive that is connected via ISCSI (something like this https://www.ddpsan.com/ ) and thus shows up as an external drive and is being blocked by this policy. Is there a way to whitelist this drive or maybe just disable USB/Thunderbolt storage drivers only and keep mouse and keyboard (and wacom)? I've had a look about disabling USB and it seems to disable the whole port not just storage drivers.
The OSX we are using in this environment is the (latest) mojave

EDIT: I found this app for OSX https://github.com/aburgh/Disk-Arbitrator that allows any usb disks to be not loaded when plugged in.
However, when we run this, anyone can interact with this software. There are no security to stop anyone from interacting with it.
I also was able to modify this app so that we secure it with passwords or is able to be interacted; however, they can still kill the process and then mount the drive.
Can JAMF restrict this application so that it runs but no one (except for maybe root or admin) to interact with it? Or ensure that the app is always running and no one but root or admin can kill it

So the solution we found for this:
1. Create a script in jamf that looks something like this:

#!/bin/bash

cat << 'EOF' > /Library/Application Support/JAMF/unmountUSB.sh

#!/bin/bash

while :
do
    diskutil list | grep "disk[0-9] (external, physical" | while read i
    do
    diskN=$(echo $i|cut -f1 -d' ');
    diskutil unmountDisk $diskN;
    done

    sleep 1
done

EOF

cat << EOF2 > /Library/LaunchAgents/com.rotorstudios.disableUSB.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.rotorstudios.disableUSB</string>
    <key>ProgramArguments</key>
    <array>        
        <string>/Applications/DiskArbitrator.app/Contents/MacOS/Disk Arbitrator</string>
    </array>
    <key>KeepAlive</key>
    <true/>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>
EOF2


cat << EOF1 > /Library/LaunchDaemons/com.rotorstudios.unmountUSB.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.rotorstudios.unmountUSB</string>
    <key>ProgramArguments</key>
    <array>
        <string>/Library/Application Support/JAMF/unmountUSB.sh</string>
    </array>
    <key>KeepAlive</key>
    <true/>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>
EOF1

echo "done creating .plist files"

chmod 755 /Library/Application Support/JAMF/unmountUSB.sh
launchctl unload /Library/LaunchDaemons/com.rotorstudios.unmountUSB.plist
launchctl unload /Library/LaunchAgents/com.rotorstudios.disableUSB.plist
launchctl load -w /Library/LaunchDaemons/com.rotorstudios.unmountUSB.plist
launchctl load -w /Library/LaunchAgents/com.rotorstudios.disableUSB.plist

echo "Done launchctl"

1. I took the Disk Arbritator source code from here: https://github.com/aburgh/Disk-Arbitrator/tree/master/Source and had to load it in Xcode and basically disabled all the GUI items and recompiled it and packaged it up and deployed it via jamf.
2. Once deployed, the daemons and agents that run in step 1 keep it running always and keep external devices from being mounted.

the code to undo this / kill this:

#!/bin/bash
echo "Stopping USB"
launchctl stop /Library/LaunchDaemons/com.rotorstudios.unmountUSB.plist
launchctl stop /Library/LaunchAgents/com.rotorstudios.disableUSB.plist

launchctl unload /Library/LaunchDaemons/com.rotorstudios.unmountUSB.plist
launchctl unload /Library/LaunchAgents/com.rotorstudios.disableUSB.plist
echo "done stopping. removing apps"

sudo rm -f /Library/LaunchDaemons/com.rotorstudios.unmountUSB.plist
sudo rm -f /Library/LaunchAgents/com.rotorstudios.disableUSB.plist

sudo rm -f /Library/Application Support/JAMF/unmountUSB.sh
sudo rm -rf /Applications/DiskArbitrator.app

echo "done removing"