Prohibited USB Insertion Detections

Jamf Protect's built-in analytic that monitors USB insertions on computers can be customized to monitor specific USB drives for your organization. You can configure the Analytic to detect specific USB drive attributes, such as the vendor, product name, and serial number. For example, if your organization only allows SanDisk USB drives to be used, you can customize the USB insertion Analytic to monitor for non-SanDisk USB drives.

If you use Jamf Protect and Jamf Pro, you can configure an analytic action to change the membership of a smart computer group in response to an analytic.

If configured, Jamf Protect will populate an extension attribute when an analytic is detected, which a smart group in Jamf Pro will read and then change the membership of the smart group. Jamf Pro administrators can then identify computers in the smart group and remediate the threat. In addition, you can run a script using a policy in Jamf Pro to display an alert to users.

Customizing the USB Insertion Analytic

  1. In Jamf Protect, click Analytics.
  2. Search for and select the "USBInserted" Analytic.
  3. In the Analytic Summary pane, click Copy.
  4. Enter a name in the Analytic Name field.
  5. In the Analytic Filter section, edit the predicate logic for your organization.
    Example:

    This example monitors for any USB drive that does not have the following attributes:

    Vendor
    SanDisk
    Product Name
    Cruze Glide
    Serial Number
    Between ABC00 and ABC99
    $event.type == 0 AND $event.device.removable == 1 AND $event.device.writable == 1 AND $event.device.vendorName != "SanDisk" AND $event.device.productName != "Cruzer Glide" AND NOT $event.device.serialNumber MATCHES "ABC[0-9][0-9]"

    For more information about additional USB attributes that can be used, click Documentation > Device in the Jamf Protect web app.

  6. Configure the Analytic Actions section.
  7. (Optional) Select the Add to Jamf Pro Smart Group checkbox and enter a value to populate a Jamf Protect extension attribute in the Identifier, if you want to use Jamf Pro to remediate USB detections.
    Note:

    This value must match the Value field defined in your Jamf Protect extension attribute in Jamf Pro.

  8. Click Save.

Your custom USB insertion Analytic will now monitor for custom USB attributes and trigger an action.

If you selected Add to Jamf Pro Smart Group as an Analytic action, see Creating an Extension Attribute.