Disable USB Removable Storage for Macs

(imported topic written by SystemAdmin)

In the following forum, there was discussion of disabling the USB for removable storage devices on a PC. Am I able to disable Macs in the same manner?

http://forum.bigfix.com/viewtopic.php?id=1676

Note: I currently have the “Patches for Mac OS X” site. Thank you.

(imported comment written by SystemAdmin)

Also, I just received an evaluation version of the site “Security Policy Manager” and the built-in fixlets that disable USB storage devices appear to be for Windows boxes only. Is there a Mac solution available?

(imported comment written by BenKus)

Hey Demetrius,

Sorry… the Security Policy Manager isn’t available currently for Mac OSX.

Ben

(imported comment written by SystemAdmin)

Thanks for the reply, Ben.

If that is the case, does BigFix at least allow us to rename Mac-specific system files ending with the .kext extension? So for example, rename “sample.kext” to “sample.kext.old” or something like that.

(imported comment written by NoahSalzman)

I’m guessing you are referring the method documented at these sites?

http://www.macintouch.com/readerreports/security/topic3177.html

http://blogs.techrepublic.com.com/networking/?p=297

You could use the following ActionScript to move the files

run mkdir /System/Library/Extensions/Hidden
run mv /System/Library/Extensions/IOUSBMassStorageClass.kext /System/Library/Extensions/Hidden/IOUSBMassStorageClass.kext

(That 2nd line wrapped… it is supposed to be one line)

You should definitely test this out before deploying it widely. Also test the reverse procedure… I saw at least one post out there that said a permissions fix and reboot was required to undo this. Lastly, this is not an Apple-approved procedure so it is entirely possible that a Mac OS X software upgrade could either undo this or throw an error when the files are found missing.

Noah

(imported comment written by SystemAdmin)

Great! Thank you both for your help! This is exactly what I was referring to.

(imported comment written by SystemAdmin)

Noah, is there a significant difference if I use the “mv” command without the “run” preceding it? I was testing this syntax when you placed this post but did not use “run” and was successful. Please advise.

(imported comment written by NoahSalzman)

Run is BigFix ActionScript and would only appear in the Action you write in the BES Cosnole. Everything after “run” is “the unix command the root user would type in the Mac OS X shell”.

(imported comment written by SystemAdmin)

I understand now. If I use a BigFix ActionScript I must use “run” but if I use “sh” instead then I can run the regular unix command. Thank you again.

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)