Removable Storage Controls
You can prevent the use of removable storage devices to mitigate accidental data loss and unauthorized access. Removable storage controls can be granularly customized to meet your organization's needs.
Supported devices include the following removable storage devices that are writable, removable, and connected:
USB protocols
USB2
USB3
USB4
Internal SDXC card slots
External SD card reader adapters connected through a supported USB protocol
Supported removable storage types apply to both Mac computers with Apple silicon or Intel processors. Thunderbolt-compatible external drives that connect over USB4 using the USB Type-C connector are expected to adhere to permissions and override rules. Thunderbolt external drives that take advantage of PCIe lanes are unsupported at this time.
Removable storage device events are reported as the EnforcedRemovableDevicePolicy
alert. Alerts include information about the device and the matching restriction. The USBInserted
built-in analytic, if enabled, continues to monitor both support and unsupported removable storage devices.
Limitations and ignored activities include:
Removable device attributes (for example, write permissions) are reported independent of applied policies. The
USBInserted
analytic can be used to determine if USB storage device activity is attempted in the environment, but is not an indication of a successful mount.Executable files cannot execute when removable storage devices are restricted to read-only.
Removable storage controls ignore disk images, including DMGs.
Connected iOS and iPadOS devices are ignored by removable storage. To prevent iOS and iPadOS devices from mounting on your computers, use your organization's MDM solution.
Removable Storage Control Sets
Removable storage control sets contain a set of rules Jamf Protect applies to storage devices. A control set includes:
The default configuration control policy applied to supported removable storage devices
Optional override rules to prevent or allow eligible removable storage devices based on encryption status, vendor ID, product ID, and/or serial number
Jamf Protect administrators can configure removable storage control sets to apply increasingly granular restrictions on the use of removable storage devices. Restrictions can include, but are not limited to:
Prevent access to all supported removable storage devices
Prevent access to all supported removable storage devices that are not encrypted
Set all supported removable storage devices to be read-only
Prevent or allow specific removable storage devices identified by vendor ID, product ID, or serial number
Creating a Removable Storage Control Set
If you are a Jamf Protect administrator, you can create Removable Storage Control Sets to determine the level of restrictions applied to storage devices.
Removable storage controls only apply to computers with macOS 10.15 and later.

The following is an example of the default Read Only notification message displayed to Jamf Protect users:

Adding Override Rules to Removable Storage Controls
Override rules can be added to a Removable Storage Control Set, providing additional flexibility to prevent or allow eligible storage devices based on the following criteria:
- Encrypted Devices—The removable storage device's encryption status
- Product ID—The removable storage device's identifier for an individual product
- Vendor ID—The removable storage device's identifier for a specific company
- Serial Number—The removable storage device's unique identifier
When a removable storage device matches more than one override, the most restrictive override applies.
If you do not configure override rules, the default policy of the Removable Storage Control Set is applied to any supported removable storage devices that attempt to mount.
Override rules are not supported for SD cards used with Internal SDXC card slots or external SD card reader adapters. The default permission configured in the Removable Storage Control Set will be enforced.
Adding a Removable Storage Control Set to Plans
You can add removable storage control sets to a new or existing plan.
- In Jamf Protect, click Plans.
- Select the Plan you want to add a Removable Storage Control Set to. Only one Removable Storage Control Set can be attached per plan.
- Click the Edit tab.
- In the Removable Storage Control Set section, select the Removable Storage Control Set you want to add from the pop-up menu.
- Click Save.