Skip to main content
  1. Addigy
  2. FAQ
  3. FAQ

Blocking External USB Drives

Updated:

This article covers creating a Smart Software item that will force disable external drives on your Macs. The following solution will generate a bash script and property list which form the LaunchDaemon that runs in the background blocking any USB drives from mounting on a Mac.

Table of Contents

Creating the Smart Software 

  1. On the left sidebar navigate to the Catalog > Software > New
  2. Name your Smart Software.
  3. In the Installation Command field copy and paste the following script: 
    #!/bin/bash

    IFS=$'\n'

    #!/bin/bash

    cat << "EOF" > "/Library/Addigy/unmount_all_external_drives.sh"

    #Function to eject externally connected drives
    eject_drive() {
        local disk=$1
        echo "Ejecting $disk"
        diskutil eject "$disk" >/dev/null 2>&1
        if [ $? -eq 0 ]; then
            echo "$disk has been ejected"
        else
            echo "Unable to eject $disk"
        fi
    }

    # Function to persisently monitor for external USB drives
    while true; do
        # List all external drives while excluding internal drives
        external_drives=$(diskutil list | grep external | awk '{print $1}')

        if [ ! -z "$external_drives" ]; then
            echo "External drive(s) detected:"
            echo "$external_drives"

            # Eject each detected external disk
            for disk in $external_drives; do
                eject_drive "$disk"
            done
        fi

    done
    EOF

    cat << "EOF" > /Library/LaunchDaemons/com.addigy.agent-unmount.plist
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC -//Apple Computer//DTD PLIST 1.0//EN
    http://www.apple.com/DTDs/PropertyList-1.0.dtd>
    <plist version="1.0">
    <dict>
        <key>Label</key>
        <string>com.addigy.agent-unmount</string>
        <key>UserName</key>
        <string>root</string>
     <key>ProgramArguments</key>
        <array>
         <string>zsh</string>
         <string>/Library/Addigy/unmount_all_external_drives.sh</string>
        </array>
     <key>WatchPaths</key>
        <array>
            <string>/Volumes/</string>
        </array>
     <key>RunAtLoad</key>
     <true/>
     <key>KeepAlive</key>
     <true/>
     <key>StandardOutPath</key>
     <string>/Library/Addigy/usb_unmount.log</string>
     <key>StandardErrorPath</key>
     <string>/Library/Addigy/usb_unmount.log</string>
    </dict>
    </plist>
    EOF

    sudo chown root:wheel /Library/LaunchDaemons/com.addigy.agent-unmount.plist

    sudo chmod 644 /Library/LaunchDaemons/com.addigy.agent-unmount.plist

    sudo chmod 774 /Library/Addigy/unmount_all_external_drives.sh

    sudo launchctl bootstrap system /Library/LaunchDaemons/com.addigy.agent-unmount.plist

 

  1. In the Conditions for Install field click on the Advanced: Custom Conditional Commands text in blue. Copy and paste the following script into the blank field.   
    #!/bin/bash

    if [[ $(sudo launchctl list | grep com.addigy.agent-unmount) != '' ]]; then
    echo "Unmount USB External Drives already running"
    exit 1
    fi

    exit 0
  2. In the Removal Command field copy and paste the following script:
    #!/bin/bash

    launchctl unload "/Library/LaunchDaemons/com.addigy.agent-unmount.plist"

    if launchctl remove com.addigy.agent-unmount; then
    echo "Daemon Removed"
    fi

    if rm -rf "/Library/LaunchDaemons/com.addigy.agent-unmount.plist"; then
    echo "Daemon plist file removed from /Library/LaunchDaemons"
    fi

    if rm -rf "/Library/Addigy/unmount_all_external_drives.sh"; then
    echo "USB Unmount Files Removed"
    fi
  3. Save the Smart Software. 
  4. Deploy the Smart Software to a policy or policies (we recommend testing on a single device prior to deployment).

 



Was this article helpful?
2 out of 6 found this helpful
Return to top

Didn’t find what you’re looking for?

Contact our Support Team