Removable Storage Controls Support and Limitations

Jamf Protect Documentation
Solution
Application
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

Supported Devices

Supported devices include the following removable storage devices that are writable, removable, and connected:

  • USB protocols

    • USB2

    • USB3

    • USB4

  • Internal SDXC card slots

  • External SD card reader adapters connected through a supported USB protocol

  • Thunderbolt (PCI Express) connected devices

    Note:

    Requires Jamf Protect Agent version 5.0 or later.

    Overrides for Thunderbolt (PCI Express) will be supported in a future release.

Supported removable storage types apply to both Mac computers with Apple silicon or Intel processors. Thunderbolt-compatible external drives that connect over USB4 using the USB Type-C connector are expected to adhere to permissions and override rules.

Removable storage device events are reported as the EnforcedRemovableDevicePolicy alert. Alerts include information about the device and the matching restriction. The USBInserted built-in analytic, if enabled, monitors both supported and unsupported removable storage devices.

Device Control Limitations

  • Removable device attributes (e.g., write permissions) are reported independent of applied policies. The USBInserted analytic can be used to determine if USB storage device activity is attempted in the environment, but is not an indication of a successful mount.

  • Executable files cannot execute when removable storage devices are restricted to read-only.

  • Removable storage controls ignore disk images, including DMGs.

  • Connected iOS and iPadOS devices are ignored by removable storage. To prevent iOS and iPadOS devices from mounting on your computers, use your organization's MDM solution.