Block external storage devices by executing custom scripts on Mac machines

Description

The usage of USB devices is inevitable in any organization. Data portability perks come as a package with the threat of data theft and malware injection. Hence, blocking the usage of USB devices fortifies the network from incidents of data breach.

Desktop Central offers several configurations to help you safeguard the Mac machines in your network. This document provides you with steps on preventing the usage of unauthenticated storage devices. Additionally, you can also obtain a report on the block/unblock status. You can choose from the following operations based on your requirement:

  1. To block devices 
  2. To block devices and obtain a report

To Block Devices:

Prerequisite:

Download dcblockusb.zip executable.

Note: All USB storage devices will be blocked.

Steps:

  1. Navigate to Configurations tab and click on Script Repository.
  2. Under Templates tab, add BlockStorageForMac.sh script to the repository.
  3. Create a custom script configuration under Mac configurations using this script.
  4. Click Add (next to Dependency Files) to upload the dcblockusb.zip as the dependency file.
  5. Block USB

  6. If you want the USB devices to be blocked round the clock, the frequency should be set as 'During Every Startup' while deploying the configuration. While executing this as a startup script, the devices will be blocked from subsequent startup.

All the external storage devices have been blocked successfully.

Note: To unblock the external storage devices, either the configuration has to be deleted or the the target machine should be removed from the configuration. The changes will take effect after the next reboot of the target computer.

To Block devices And Obtain a Report:

Prerequisite:

Download dcblockusb.zip. You'll need the contents of this file for both block and unblock operations.

Note: All USB storage devices will be blocked

Steps to block a device: 

  1.  From the zip file above, add following script to script repository - BlockUsbAndSendReportMac.sh and Use "BLOCK" as argument.
  2. Create Computer configuration with this script and add MacUsbReport.zip as dependency file.
  3. Deploy configuration.

Block USB Configuring

        4. If you want the USB devices to be blocked round the clock, the frequency should be set as 'During Every Startup' while deploying the configuration. While executing this as a startup script, the devices will be blocked from subsequent startup.

All USB storage devices have been blocked successfully.

Steps to Unblock devices:

To unblock the external storage devices, either the configuration has to be deleted or the the target machine should be removed from the configuration. The changes will take effect after the next reboot of the target computer.However, to post data to get a report of unblocked devices, you need to do the following.

  1. From the zip file above, add SendUnblockReportMac.sh to script repository.
  2. Add MacUsbReport.zip file as dependency file in computer configuration and deploy to the unblocked device.
    Block Report USB Configuring

The script to post unblock status has been deployed successfully. 

Steps to Obtain a USB policy report:

You can generate a report on block/unblock status based on the device type. For this, copy the query text here and go to Reports > Query Reports > New Query Report. Paste the text in the query field and Run the report. This will show you the list of blocked and unblocked devices.