Posted on 05-02-2019 08:31 PM
We have a Policy set in jamf for OSX to disable external drives. We have a
network drive that is connected via ISCSI (something like this https://www.ddpsan.com/ ) and thus shows up as an external drive and is being blocked by this policy. Is there a way to whitelist this drive or maybe just disable USB/Thunderbolt storage drivers only and keep mouse and keyboard (and wacom)? I've had a look about disabling USB and it seems to disable the whole port not just storage drivers.
The OSX we are using in this environment is the (latest) mojave
EDIT: I found this app for OSX https://github.com/aburgh/Disk-Arbitrator that allows any usb disks to be not loaded when plugged in.
However, when we run this, anyone can interact with this software. There are no security to stop anyone from interacting with it.
I also was able to modify this app so that we secure it with passwords or is able to be interacted; however, they can still kill the process and then mount the drive.
Can JAMF restrict this application so that it runs but no one (except for maybe root or admin) to interact with it? Or ensure that the app is always running and no one but root or admin can kill it
So the solution we found for this:
1. Create a script in jamf that looks something like this:
#!/bin/bash cat << 'EOF' > /Library/Application Support/JAMF/unmountUSB.sh #!/bin/bash while : do diskutil list | grep "disk[0-9] (external, physical" | while read i do diskN=$(echo $i|cut -f1 -d' '); diskutil unmountDisk $diskN; done sleep 1 done EOF cat << EOF2 > /Library/LaunchAgents/com.rotorstudios.disableUSB.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.rotorstudios.disableUSB</string> <key>ProgramArguments</key> <array> <string>/Applications/DiskArbitrator.app/Contents/MacOS/Disk Arbitrator</string> </array> <key>KeepAlive</key> <true/> <key>RunAtLoad</key> <true/> </dict> </plist> EOF2 cat << EOF1 > /Library/LaunchDaemons/com.rotorstudios.unmountUSB.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.rotorstudios.unmountUSB</string> <key>ProgramArguments</key> <array> <string>/Library/Application Support/JAMF/unmountUSB.sh</string> </array> <key>KeepAlive</key> <true/> <key>RunAtLoad</key> <true/> </dict> </plist> EOF1 echo "done creating .plist files" chmod 755 /Library/Application Support/JAMF/unmountUSB.sh launchctl unload /Library/LaunchDaemons/com.rotorstudios.unmountUSB.plist launchctl unload /Library/LaunchAgents/com.rotorstudios.disableUSB.plist launchctl load -w /Library/LaunchDaemons/com.rotorstudios.unmountUSB.plist launchctl load -w /Library/LaunchAgents/com.rotorstudios.disableUSB.plist echo "Done launchctl"
the code to undo this / kill this:
#!/bin/bash echo "Stopping USB" launchctl stop /Library/LaunchDaemons/com.rotorstudios.unmountUSB.plist launchctl stop /Library/LaunchAgents/com.rotorstudios.disableUSB.plist launchctl unload /Library/LaunchDaemons/com.rotorstudios.unmountUSB.plist launchctl unload /Library/LaunchAgents/com.rotorstudios.disableUSB.plist echo "done stopping. removing apps" sudo rm -f /Library/LaunchDaemons/com.rotorstudios.unmountUSB.plist sudo rm -f /Library/LaunchAgents/com.rotorstudios.disableUSB.plist sudo rm -f /Library/Application Support/JAMF/unmountUSB.sh sudo rm -rf /Applications/DiskArbitrator.app echo "done removing"