Forcing your Macs to unmount external drives is an important security tool. This article covers creating a Smart Software item that will force devices to disable external drives. The following solution will generate a bash script and property list that form the LaunchDaemon which runs in the background, blocking any USB drives from mounting on the Mac.
- On the left sidebar, navigate to the Catalog page.
- Select the Software tab or select the Software option in the body of the page.
- Smart Software will be automatically selected. Next, select New.
- Give it an appropriate title like "Disable External USB Drives" and Version 1.0.0. Then click on the Create button.
- In the Installation Script field copy and paste the following commands:
#!/bin/bash
cat << "EOF" > "/Library/Addigy/unmount_all_external_drives.sh"
#!/bin/bash
IFS=$'\n'
# Creates function to scan for all External USB Drives
function scan_disks() {
diskList=()
for disk in $(diskutil list | grep "external, physical" | grep -o disk.. | tr -d ' '); do
diskList+=( "${disk}" )
done
echo "Detected Disks:"
echo "${diskList[*]}"
}
# Creates function to unmount all scanned External USB Drives
function unmount_disks() {
for volume in ${diskList[*]}; do
echo "Unmounting External USB Drive: ${volume}"
diskutil unmountDisk "${volume}"
done
}
# Creates function to monitor if an External USB Drive is mounted
function get_disk_activity () {
activity=$(diskutil activity & sleep 2; kill -9 $! | grep "DiskPeek";)
}
# Calls function to scan for all External USB Drives
scan_disks
# Calls function to unmount all scanned External USB Drives
unmount_disks
# Creates a loop to keep this check running persistently and indefinitely
while true; do
# Calls function to monitor if an External USB Drive is mounted
get_disk_activity
until [[ "${activity}" == *'DiskPeek'* ]]; do
get_disk_activity
done
scan_disks
unmount_disks
done
EOF
cat << "EOF" > /Library/LaunchDaemons/com.addigy.agent-unmount.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.addigy.agent-unmount</string>
<key>ProgramArguments</key>
<array>
<string>bash</string>
<string>/Library/Addigy/unmount_all_external_drives.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<true/>
<key>StandardOutPath</key>
<string>/Library/Addigy/usb_unmount.log</string>
<key>StandardErrorPath</key>
<string>/Library/Addigy/usb_unmount.log</string>
</dict>
</plist>
EOF
sudo launchctl load /Library/LaunchDaemons/com.addigy.agent-unmount.plist - In the Conditions for Install field copy and paste the following command into the Condition Scripts > Advanced: Custom Conditional Commands field:
#!/bin/bash
if [[ $(sudo launchctl list | grep com.addigy.agent-unmount) != '' ]]; then
echo "Unmount USB External Drives already running"
exit 1
fi
exit 0 - In the Remove Script field copy and paste the following command:
#!/bin/bash
launchctl unload "/Library/LaunchDaemons/com.addigy.agent-unmount.plist"
if launchctl remove com.addigy.agent-unmount; then
echo "Daemon Removed"
fi
if rm -rf "/Library/LaunchDaemons/com.addigy.agent-unmount.plist"; then
echo "Daemon plist file removed from /Library/LaunchDaemons"
fi
if rm -rf "/Library/Addigy/unmount_all_external_drives.sh"; then
echo "USB Unmount Files Removed"
fi - Finally, Save your changes.
You can now deploy the new Custom Software. We recommend testing on a single device first.