02-22-2023 02:21 AM
Hi Folks,
Probably most of you are aware our "Disable Removable Storage Access" policy for MacOS stopped working on MacOS Big Sur (or later), due to the change of MDM framework - you guessed it, by Apple.
Long story short, MDM providers are all on the same boat - JC included. But, thanks to our partnership with Crowdstrike, by leveraging on their "USB device control policy", we are able to archive the same goal.
How To
1. On your CS admin console, go to "Endpoint Security" -> USB Device Control -> Policies.
2. Click tab "Mac Policies" -> "Create new policy".
3. Platform -> Mac -> name the policy -> use "monitor and enforce" as the mode -> create policy.
4. At the settings page, click "Mass Storage" -> tick "full block" -> save.
5. (Optional) You could use a pop-up notification to warn the user when the usb storage plugged in:
6. Assign the policy to a host group where your target Mac devices are part of.
7. Wait a bit (up to 10 mins) for Falcon agent to sync the policy, and make sure the status is showing "applied"
7. Plug in an USB stick and try it out, it looks like this:
That's it!
P.S. I do see some EDR solutions are picking this up as 1 of their advantage, so the choices are definitely many (out there) not limited to Crowdstrike.
New to the site? Take a look at these additional resources:
Ready to join us? You can register here.