Removable Storage Controls

Device Controls

You can prevent the use of removable storage devices to mitigate accidental data loss and unauthorized access. Removable storage controls can be granularly customized to meet your organization's needs.

Supported devices include the following removable storage devices that are writable, removable, and connected:

  • USB protocols

    • USB2

    • USB3

    • USB4

  • Internal SDXC card slots

  • External SD card reader adapters connected through a supported USB protocol

Supported removable storage types apply to both Mac computers with Apple silicon or Intel processors. Thunderbolt-compatible external drives that connect over USB4 using the USB Type-C connector are expected to adhere to permissions and override rules. Thunderbolt external drives that take advantage of PCIe lanes are unsupported at this time.

Removable storage device events are reported as the EnforcedRemovableDevicePolicy alert. Alerts include information about the device and the matching restriction. The USBInserted built-in analytic, if enabled, continues to monitor both support and unsupported removable storage devices.

Limitations and ignored activities include:

  • Removable device attributes (for example, write permissions) are reported independent of applied policies. The USBInserted analytic can be used to determine if USB storage device activity is attempted in the environment, but is not an indication of a successful mount.

  • Executable files cannot execute when removable storage devices are restricted to read-only.

  • Removable storage controls ignore disk images, including DMGs.

  • Connected iOS and iPadOS devices are ignored by removable storage. To prevent iOS and iPadOS devices from mounting on your computers, use your organization's MDM solution.

Removable Storage Control Sets

Removable storage control sets contain a set of rules Jamf Protect applies to storage devices. A control set includes:

  • The default configuration control policy applied to supported removable storage devices

  • Optional override rules to prevent or allow eligible removable storage devices based on encryption status, vendor ID, product ID, and/or serial number

Jamf Protect administrators can configure removable storage control sets to apply increasingly granular restrictions on the use of removable storage devices. Restrictions can include, but are not limited to:

  • Prevent access to all supported removable storage devices

  • Prevent access to all supported removable storage devices that are not encrypted

  • Set all supported removable storage devices to be read-only

  • Prevent or allow specific removable storage devices identified by vendor ID, product ID, or serial number

Creating a Removable Storage Control Set

If you are a Jamf Protect administrator, you can create Removable Storage Control Sets to determine the level of restrictions applied to storage devices.

Requirements

Removable storage controls only apply to computers with macOS 10.15 and later.

  1. In Jamf Protect, click Device Controls
  2. Click Create.
  3. Give your Removable Storage Control Set a name.
  4. Select one of the following Default Permission options from the menu.

    • Prevent

    • Read Only

    • Read and Write

    Important:

    The default permission settings will be applied to all removable storage devices unless the removable device matches a configured override rule. For more information, see Adding Override Rules to Removable Storage Controls.

  5. (Optional) Edit the Default Local Notification Message.
    Note:

    Local Notification messages apply to Prevent and Read Only permission settings based on the selected configuration. If you do not edit the Local Notification Message, one of the following default notification messages will be displayed when a user mounts a removable storage device:

    • PreventThis removable storage device is not allowed.
    • Read OnlyThis removable storage device is limited to read-only.
  6. Click Save.
The following is an example of the default Prevent notification message displayed to Jamf Protect users:

The following is an example of the default Read Only notification message displayed to Jamf Protect users:

Adding Override Rules to Removable Storage Controls

Override rules can be added to a Removable Storage Control Set, providing additional flexibility to prevent or allow eligible storage devices based on the following criteria:

  • Encrypted DevicesThe removable storage device's encryption status
  • Product IDThe removable storage device's identifier for an individual product
  • Vendor IDThe removable storage device's identifier for a specific company
  • Serial NumberThe removable storage device's unique identifier

When a removable storage device matches more than one override, the most restrictive override applies.

Important:

  • If you do not configure override rules, the default policy of the Removable Storage Control Set is applied to any supported removable storage devices that attempt to mount.

  • Override rules are not supported for SD cards used with Internal SDXC card slots or external SD card reader adapters. The default permission configured in the Removable Storage Control Set will be enforced.

  1. In Jamf Protect, click Device Controls
  2. Select a Removable Storage Control Set.
  3. In the Total Overrides section, click Add.
  4. Choose a Removable Storage Override Type from the pop-up menu.
  5. Click Add.
  6. Configure the Override Details section:
    1. Select a Permission from the pop-up menu.
    2. Choose a device encryption option from the pop-up menu to determine which removable storage devices Jamf Protect applies the override permission to:

      • All devices

      • Encrypted devices

      • Unencrypted devices

    3. (Optional) Edit the Local Notification Message.
      Note:

      Local Notification messages apply to Prevent and Read Only permission settings based on the selected configuration. If you do not edit the Local Notification Message, one of the following default notification messages will be displayed when a user mounts a removable storage device:

      • PreventThis removable storage device is not allowed.
      • Read OnlyThis removable storage device is limited to read-only.
  7. Add list data for storage devices by doing one of the following:
    • Upload CSV FileYou can upload Vendor IDs and Serial Numbers by a CSV file with one column containing the identifying values. You can upload Product IDs by CSV file with one column containing Vendor IDs and a second column containing Product IDs.
    • Add Text InputYou can add Vendor IDs and Serial Numbers by a list of comma separated values. You can add Product IDs one at a time by entering the Vendor ID and Product ID.

    Removable storage devices must be provided in the following formats:

    • Product ID0x1d00
    • Vendor ID0x13fe
    • Serial Number5B6B0B88D431
    Example:

    You can find a USB device's details from the System Report view on your mac OS computer.

  8. Click Save.

Adding a Removable Storage Control Set to Plans

You can add removable storage control sets to a new or existing plan.

  1. In Jamf Protect, click Plans.
  2. Select the Plan you want to add a Removable Storage Control Set to. Only one Removable Storage Control Set can be attached per plan.
  3. Click the Edit tab.
  4. In the Removable Storage Control Set section, select the Removable Storage Control Set you want to add from the pop-up menu.
  5. Click Save.
The removable storage control set is distributed to computers in the scope of the plan.