on 06-12-2024 09:16 AM
This is an edited transcript of the 05.03.24 IT Hour
Tom: I want to talk for a quick second about the product release that Josh released this week. When we released the original Microsoft Store Integration all it really was was looking for the string and you had to go find the string from the URL on the Microsoft Store and we got some really great feedback from folks that would be like “Can we just search for stuff instead?”. And the answer is yes. Thanks to one of our teams that’s been hard at work on this at JumpCloud, that’s now part of the product.
As of yesterday you can open up the Software Management screen, go to the Windows tab, click on the ‘+’ and say “Look for a Microsoft Store Application”. There’s a search field. We’ll search the Microsoft Store for you and make those available and essentially allow you to deploy those individual applications. Now I do want to point out, this is not for legacy applications yet. Those legacy applications that don’t ever work over the MDM channel, we still can’t install. We’re working on that and we’ll have a lot more to say in the next couple of weeks as we get closer to a great solution there. We’re well aware that some of those key applications that are in the legacy category are super useful and we want to make sure those are available.
For example, Adobe unfortunately only makes Acrobat available through the legacy channel so you can’t search for Acrobat and have that returned. But anything that’s in a modern style MSIX installer that’s available part of the Microsoft store, that’s one of the things that we’re going to be pushing.
Jonathan asked a really great question in the chat, which is, “Can we search for Chocolatey packages too?”. The answer is unfortunately no. We have some real challenges working with the Chocolatey folks. Their API limits are very, very tiny. Any customer who’s got more than a handful of devices in the same subnet has run into this with us in the past. And like we mentioned at the end of last year, we don’t see Chocolatey as a great way to move together and to build future functionality here at JumpCloud. We would consider our Chocolatey integration to be in maintenance mode. At this point we have some exciting alternatives coming around software management that we’d be happy to talk about here on the IT Hour as we go through the third quarter. We’re really excited about what that possibility represents so look for us to talk a little bit more about that in the future.
The big news is in fact USB blocking is back here at JumpCloud. Of course you’re probably thinking it’s about damn time that the USB blocking came back to MacOS. Yes, it is, and I want to talk about why it had to go away, what we’ve done to help address that for our customers, what that might open up the door for in the future, etc. But in order to do that I need to talk about a quick history lesson. I also need to talk about how we fix it. I need to talk about how it works and then we’ll also talk about how we address this going forward.
When MacOS started to embrace the MDM space around MacOS 10.7, you used to be able to allow or deny individual optical media, optical read-write media, physically attached volumes as well as disk images. You used to be able to set some individual payload options associated with each of those storage types. Unfortunately back in the 2019-2020 range Apple started to mark that setting as deprecated in the library but it was still supported in MacOS Catalina 10 and in Big Sur and MacOS 11. Apple began, however, to push people towards the system extension framework and point security framework as a way to do this instead.
Unfortunately Apple was still supporting the old method but they weren’t really clear on when it would actually go away until 2021 with the release of MacOS Monterey that they really said “this isn’t going to really be part of the functionality. And so it wasn’t until MacOS 13, Ventura that they actually stopped the policy from working entirely. So this was a place where Apple didn’t really provide a great set of deprecation structures. They didn’t have a lot of focus associated with this, it’s not ideal. So we had to start looking into other things as a way of fixing it.
Endpoint security framework is how we accomplish this today. It’s now a part of the JumpCloud tray application, due to the way that Apple requires certain system pieces to be put together. System extensions must live in the applications folder. It can’t exist in the /op/JC folder with the agent. It has to actually live in a donor application, that’s part of the applications folder here. So when we think about what the endpoint security framework is, it’s a C API for MacOS development and it’s meant to monitor the system at a very, very low level. It’s also meant to be used in a publication subscription model so that events can be subscribed to like misc mounts or disc attach or device attach. It allows you to have access to those from the systems extensions framework and it allows you to observe events and to subscribe to those events and then decide whether or not you want to act on those events. So we’re really excited about the ability of JumpCloud to start doing those things.
Events include disc mounts from external and internal sources as well as information on premises about the disk type that’s been attached. Obviously with disk images being so crucial to the Apple platform and for Apple updates and other related things, we didn’t want to totally block off disk image opportunities if only because the JumpCloud agent is also distributed through mechanisms that may be very similar to that. We wanted to make sure that we can still do those kinds of things on a more global basis. Installer packages and disk images are excluded from this because this is all about blocking just those external volumes that get plugged directly into the machine.
So system extensions require special policies to activate control and permission. Anybody who’s dealt with deploying CrowdStrike or SentinelOne, some printer drivers, etc. you need a system extension to do those kinds of crazy things, especially to attach physical hardware or anything with a network filter or a web filter. You need to be able to deploy those kinds of system extensions policies through the Privacy Preferences policy control system that Apple makes available and that we call an App Privacy Policy. So we’re taking care of a lot of the details for this under the hood.
I do want to talk a little bit more about the nuts and bolts here of how the USB blocking tool works in JumpCloud. It’s really straightforward. As we mentioned, all of this is built into the JumpCloud app. It’s the Tray application that lives in the applications folder. It contains a system extension inside of it. Now in addition, we also include a system extensions payload in the JumpCloud MDM default configuration that allows us to activate that system extension when we need to. So in that case we’re deploying a system extensions policy directly related to the end user's device and then if you so choose to, block external storage. You can add an External Storage Restrictions policy that creates the USB blocking effect.
Related to that, you might be asking “Well, what do I need in order for this to work?” And the answer is that you need Agent 1.185 or later, which is the tray app version 2.0 build 19 or later. In addition, any MacOS 11 or later systems, that’s one more version of the operating system that we currently support. Technically, JumpCloud supports MacOS 12 and later. This will work on MacOS 11 and later. This will not work on MacOS 10.15 and earlier. So be aware of that. And if you have any of those systems that are still running Catalina out there, it’s probably time to rethink that. There are great upgrade paths for you to get a more modern version of the operating system and I strongly encourage you to do so.
So the policy was unlocked yesterday and so you can go find it today. It’s called the Mac External Storage Restrictions policy. You might look at that in the system preferences if you go to Privacy and Security and then Profiles all the way at the bottom, you’re going to see a profile that looks like this - JumpCloud Endpoint Security. You can see that the policy, when it’s applied will allow your endpoint security extension to run and then you will also see in addition to that a USB external storage restriction policy if that’s applied to your system. We apply that over the MDM channel and that turns on the storage restriction.
The end user gets to see an experience like this in the Tray application - when you click on the Tray application it will very clearly identify to the end user that external disk mounting is disabled by their admin and when they attach a disk they’ll see a notification from the system in the upper right hand corner that says “External device is not recognized. External disk mounting is disabled by policy. Contact your IT Admin for more information”. When you click that alert you’re going to be taken to a JumpCloud Help Center article that’s going to tell you all about this policy and how to address it. So be aware that this is out there.
So you might be asking yourself, “Tom, what kind of storage does this policy block?” and the answer is, thumb drives, jump drives, external hard drives and SD cards as well, using this technology. There’s no storage volume that we’ve found that gets around this yet. Anything that will attempt to use the PCI express system, the direct USB mounting system on the MacBook device is going to be blocked and the user will be notified that they have a problem. The important thing to recognize associated with all of this is that if a device is attached when the policy goes into effect, the device will stay mounted until the system restarts or the user session ends and they log out and log back in again. We will block for all users of a device. We block at the operating system boot level so that you can’t just try and plug it into a system that’s off and have that volume mount. We’re pretty detailed here in terms of how this works.
Q: What happens with MFC printers with SD card readers? How are those handled?
A: So those actually present as multiple different devices. They present as the printer, as the scanner, and the storage device. We will block the storage device but not block the printer and the scanner.
Q: Can it be used with an allow/deny list?
A: No, we don’t trust those identifiers as being unique enough or not hackable enough. Our experience with those is that they can be pretty arbitrary.
Q: Is this only for MacOS and Windows or will it work well for mobile devices as well?
A: There are different policies that are available for Windows and mobile devices. WE do offer you the ability to block USB storage devices on supervised iOS devices today. We cannot handle those restrictions for device enrolled or user enrolled devices. The Apple security model is such that unless the device is supervised, the end user is largely in control of the USB port. If you’d like that to change I strongly recommend going into Feedback Assistant on your Mac or iOS device and filing a feedback request that those things should be broader and that those functionalities should be available to you.
Q: Is optical storage also covered?
A: No, optical storage is not a part of this. There are no Macs that ship with an optical drive any more so if you bring an entire Blu Ray drive that may still work. It’s also likely that those storage volumes mount directly via the USB. We have not tested that but I would expect it not to work.