- Michael Thomson
Technical
A common security benchmark that is always requested during our Jamf Onboarding projects, is locking down or restricting USB drives.
In previous versions of the Apple Operating System this could be applied via a simple Jamf Pro Configuration Profile. This feature was deprecated by Apple in 10.15, but to this day remains operational, albeit temperamental in the latest macOS versions.
Jamf Protect
With macOS Sonoma now released, let’s explore a more robust method to the manage removable drives.
Jamf Protect has a dedicated Device Control feature that makes it simple to manage the use of removable storage devices within your organisation. Implementing device controls helps prevent the use of USB drives on your company devices which can mitigate against misuse, accidental data loss and unauthorised access.
Supported Device Types
- USB
- Thunderbolt
- Internal SDXC cards
- External SD card Reader Adaptors
- Supported across both Apple Silicon and Intel Processors
Jamf Protect administrators can configure removable storage control sets to apply increasingly granular restrictions on the use of removable storage devices. Restrictions can include, but are not limited to:
- Prevent access to all supported removable storage devices
- Prevent access to all supported removable storage devices that are not encrypted
- Set all supported removable storage devices to be read-only
- Prevent or allow specific removable storage devices identified by vendor ID, product ID, or serial number.
If a device configured with one of the above restrictions attempts to use a removable drive they will be automatically presented with a Jamf Protect warning.
Serial Numbers
To configure these controls on a per serial number or vendor level, simply connect a removable drive to an unrestricted macOS device and navigate to System Information > Hardware > USB. From here you can note down the vendor and/or serial number. If there’s a large selection or serial numbers, these can be added to a CSV document and simply imported to Jamf Protect.
Silent Deployment
With the vendor ID now in hand, we can continue to configure Jamf Protect. In the example below we would like the default for all removable drives to be blocked from our company devices. We have applied an override to allow Kingston devices on the vendor ID of 0x13fe, but we will only allow that vendor to connect if they have been encrypted.
This is just one example, some clients to prefer to run a serial number whitelist which is very simple to achieve also. Once the device control is in place you can assign this to a plan and silently deploy with Jamf Pro. Multiple device controls can be configured and scoped on a user or group level if you have a granular approach to security.
Conclusion
Regardless of where you are in your Apple journey, we have the skills and experience to help. This can be simply to build out required configurations and security workflows, to assist you to manage and secure Apple with ease.
Get more out of Jamf with DARE.
