App spotlight: disable USB storage devices on Macs with media management

By Jon Xavier

Flash drives, portable hard drives, SD cards, and other forms of USB mass storage device are a conundrum for an Apple administrator. They can be infected with malicious payloads that give attackers control over whatever they’re plugged into. Not only that, they provide a simple, hard-to-catch way for employees to smuggle proprietary data out of the company. For those reasons, and because these kinds of removable media are less necessary to conducting business in the age of cloud file sharing, many companies seek to disable them entirely.

Apple’s media management mobileconfig profile seems to offer an answer. With it, admins can set rules to disable access to everything from CDs to network storage devices. Yet as with many things in Apple IT, the media management configuration profile is complex and sparsely documented. It’s possible to build configuration profiles that don’t work, don’t work as expected, or even crash your machines.

At Fleetsmith, we think things like USB storage device blocking should just work without a whole lot of fuss. So we did extensive testing to find out which configurations were actually useful, and then applied our knowledge about security and compliance to abstract this down to an interface that can disable USB storage devices in a couple clicks.

We’re planning a blog post based on our research for a later date that will go into more detail about how the Apple media management configuration profile works (and doesn’t work). In the meantime, we wanted to highlight how media management works in Fleetsmith and give you some advice about what you might want to use each setting for.

Media Management in the Fleetsmith Catalog

External Media

External media includes flash drives, SD cards, portable hard drives, and various other storage devices you plug in to your Mac. You’ve got three options here: Block, Require Admin Authentication, and Read Only.

  • Choosing Block will prevent external storage devices from mounting at all—users won’t receive any notification that a device is blocked, but it will be rejected by the OS when it tries to connect.
  • With Require Admin Authentication set, users will receive an authentication prompt whenever external media is plugged in. Authorizing with administrative credentials will cause the drive to mount. Otherwise, the user will not be able to see the drive or interact with it in any way.
  • Read Only does what it says on the tin—devices will mount but users will be unable to write to them.

It’s also possible to enable both Require Admin Authentication and Read Only, in which case normal and admin users must provide admin credentials to access the external media and will only have read access after authenticating.

Block and Require Admin Authentication are both good options provided situations where you need to plug in an external drive are rare. Read Only is a good security measure for certain devices that really do need access to external storage—photo or video workstations that often have to ingest a lot of data from SD cards, for example.

Internal Media

Internal Media covers internal drives and partitions. It will not affect access to Macintosh HD system volume, but will block access to all other volumes located on internal storage.

The options are the same as external media and work exactly the same: Block, Require Admin Authentication, and Read Only.

Block or Require Admin Authentication are good controls to set for devices that should only have one drive or partition, as end users will be unlikely to notice but it will disrupt attackers that attempt to create other partitions to hide their activities or steal data. Read only is likely to be very situational—if you have some kind of resource drive it might make sense, but it is usually a better security practice if non-administrators don’t see drives and partitions they can’t interact with.

Disk Image

Disk Image allows you to prevent the mounting of all manner of disk image files such as .dmg, .sparsebundle, .sparseimage, or .cdr. It is a binary choice—you either block all disk images, or you allow them. This is due to limitations present in the Apple mobileconfig profile itself.

This is a pretty restrictive option, since disk images are one of the main distribution formats for macOS software and there’s plenty of legitimate situations where an employee might need to mount one. It can limit the amount of unmanaged software that gets installed on your devices, but that will come at the cost of more support tickets when there’s something an employee legitimately needs to install.

Optical Media

Optical Media covers all things disc—CDs, DVDs, and Blu-ray.  Although the Apple configuration profile splits these out as separate options, and even has an entirely different set for blank discs, Fleetsmith lets you control all of them with a single setting. We couldn’t think of a use case where you might want to block one type of disc and not the others, but if you have one, let us know!

Optical Media has three options: Block, Require Admin Authentication, and Disc Burning. Block and Require Admin Authentication work similarly to the way they do for internal and external drives. If Block is set, discs that are inserted will spin but never mount; if Require Admin Authentication is set, they behave the same as Block except that users that are logged in as admin will be able to see the disc after re-authenticating through a prompt.

Disc Burning works as you would expect. Enabling disc burning allows disc burners to operate as normal, disabling it makes disc burning impossible through the OS. The interesting thing here is that to disable disc burning you actually have to touch 3 distinct parts of the configuration profile. Media management can prevent blank discs from being mounted, while com.apple.DiscRecording determines whether burning is supported and com.apple.finder has a setting that controls whether burning is an option that is displayed in the Finder. This can cause weirdness for end users if the settings don’t match—blank discs that mount but can’t be written to, or a burn disc option in the finder that throws an error when clicked. Fleetsmith sets all of these options for you with a single toggle.

You might not think you need this option if, like many admins these days, you don’t support any Macs with disc burners. However, it also blocks external disc burners, so there’s no reason not to set it if you’re worried about data exfiltration.

Conclusion

Disabling or blocking external storage devices is often an important step for the security-minded admin, but the basic configuration profile has some quirks that keep it from being a great tool to accomplish this on its own. At Fleetsmith we’re committed to delivering the best possible user experience regardless of the underlying technology, so we put a lot of care into building a media management solution that’s reliable, easy to understand, and even easier to use.

Subscribe to Fleetsmith Blog

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!