Showing results forย 
Search instead forย 
Did you mean:ย 

Blocking External USB Storage with Crowdstrike USB policy - MacOS

Rising Star III
Rising Star III

Hi Folks,

Probably most of you are aware our "Disable Removable Storage Access" policy for MacOS stopped working on MacOS Big Sur (or later), due to the change of MDM framework - you guessed it, by Apple. 

Long story short, MDM providers are all on the same boat - JC included. But, thanks to our partnership with Crowdstrike, by leveraging on their "USB device control policy", we are able to archive the same goal. 

How To

1. On your CS admin console, go to "Endpoint Security" -> USB Device Control -> Policies.

2. Click tab "Mac Policies" -> "Create new policy".

Screenshot 2023-02-22 at 14.22.35.png

3. Platform -> Mac -> name the policy -> use "monitor and enforce" as the mode -> create policy. 

Screenshot 2023-02-22 at 15.07.24.png

4. At the settings page, click "Mass Storage" -> tick "full block" -> save.

Screenshot 2023-02-22 at 14.23.50.png

5. (Optional) You could use a pop-up notification to warn the user when the usb storage plugged in:

Screenshot 2023-02-22 at 15.19.04.png

6. Assign the policy to a host group where your target Mac devices are part of.

Screenshot 2023-02-22 at 14.24.31.png

7. Wait a bit (up to 10 mins) for Falcon agent to sync the policy, and make sure the status is showing "applied"

Screenshot 2023-02-22 at 15.13.19.png 

7. Plug in an USB stick and try it out, it looks like this: 

USBBlockingCS (1).gif

That's it!


P.S. I do see some EDR solutions are picking this up as 1 of their advantage, so the choices are definitely many (out there) not limited to Crowdstrike. 



You Might Like

New to the site? Take a look at these additional resources:

Community created scripts

Keep up with Product News

Read our community guidelines

Ready to join us? You can register here.