HELP NEEDED : Disable USB A and C ports on M1 Mac mini?

[amitdel]

Hi All

I wanted to get some help regarding USB A and C ports on the M1 Mac Mini

To prevent users from stealing / exfiltering data via USB drives / Pen Drives, I would like to:

a) Prevent any such mass storage devices from being able to connect to the M1 Mac Mini
b) While allowing them to use the ports for things like Keyboard & Mouse

To clarify; these are authorized users; in the sense they have access to the data (on the M1 Mac Mini); but should not be able to copy it out (or copy data in) using the USB C / A ports

On windows machines; many antivirus software have this feature (disable / read only / write only access to usb ports). However, I don't know of a cheap and reliable similar solution for Macs.

Thanks in advance for your time in reading; and for help

Cheers

 

[Clincero]

You might be able to supervise the devices using Apple Configurator 2 and apply a profile with an allowFilesUSBDriveAccess restriction.

 

[amitdel]

@Clincero - Thank you for taking time out to reply! I am a non technical user; but I will definitely research this. In the meanwhile, if there is any direct tutorial / help video; I would be glad to get that, if possible.

Also, any 3rd party tools (not at enterprise level pricing!), that may help in accomplishing this? Don't mind paying some $50-100 for this feature.

I believe the internet related restrictions (say blocking gmail / webmail) can be accomplished by parental control (whitelist only a specific number of websites).

Warm Regards

 

[FreakinEurekan]

Could always use physical security. Put the Mac in a locked box with whatever’s necessary already plugged in.

 

[amitdel]

@FreakinEurekan - Thank you. This is an interesting idea, and possible, as all ports are on a single location in the back.

However, thinking of using multiple M1 Macs, and if possible; would love a software solution, as this would be tough to scale.

I have been researching this today; and apparently some endpoint security should be able to do this. But these kind of software all seem to be enterprise level; and presumably have enterprise pricing.

Warm Regards

 

[Gudi]

USB-C: Cancel or allow

This is not what you're looking for, but highlights the different understanding of security on a Mac vs PC. The Mac always trusts the user, it's the outside world which is the danger. Corporations who run Windows don't even trust their own employees. At that point, shut the ports down with superglue and become a classic Tron villain.

 

[amitdel]

@Gudi - Thanks. This makes for an interesting reading, and I will check the USB permission and lockdown mode on ventura

Actually, I used to be a mid senior-manager for a major global corporation, and for us anyway, it was not about trust per-se : we needed to demonstrably have means to prevent data leaks / theft as a legal requirement (say when your guys are working on sensitive 3rd party client data).

So software or hardware firewalls for internet; and disable mass storage devices.

I saw one post somewhere which suggests to write a script to immediately eject a connected mass storage device. So I am sure this should be possible with some readymade product? Someone suggested crowdstrike; but it seems to be a big corp solution; and maybe not accessible to a regular joe. If someone has an experience with it; please do share!

So looking for an affordable endpoint security solution, or a simpler means to block mass storage

 

[Gudi]

It just reminds me of the Swiss banks, who band CD drives after their employees started to sell their client data to German tax authorities. There are probably good legitimate reasons to shut out the users, but it doesn't feel right.

 

[amitdel]

Yep; However, this is now much more common as a requirement. E.g. Sarbanes Oxley :

SOX Compliance | Requirements, Controls & Audits | Imperva

The Sarbanes-Oxley Act (SOX) defines the requirements for the integrity of source data related to financial transactions and disclosures.

www.imperva.com

If a corporation outsources work to vendors (maybe a 1-5 employee team); the said vendors also have to comply compulsorily

Everyone from the CEO to the juniormost analyst are subject to the same rules inside; so vendors are also covered automatically.

 

[ChrisA]

Hi All

I wanted to get some help regarding USB A and C ports on the M1 Mac Mini

To prevent users from stealing / exfiltering data via USB drives / Pen Drives, I would like to:

a) Prevent any such mass storage devices from being able to connect to the M1 Mac Mini
b) While allowing them to use the ports for things like Keyboard & Mouse

To clarify; these are authorized users; in the sense they have access to the data (on the M1 Mac Mini); but should not be able to copy it out (or copy data in) using the USB C / A ports

On windows machines; many antivirus software have this feature (disable / read only / write only access to usb ports). However, I don't know of a cheap and reliable similar solution for Macs.

Thanks in advance for your time in reading; and for help

Cheers

Anyone can find a way to move information if he has physical access to the computer.

For example, how does the keyboard connect to the computer? It uses Bluetooth. So anyone who has access to the keyboard and mouse has access to Bluetooth.

That said, if you want to disable physical ports, the usual solution is epoxy. Place epoxy in the hole and let it harden, and the port will never again be usable.

The only solution is to only hire people you can trust.

(Yes on Windows PC there is some software, but it only makes you feel good. Anyone with physical access to the computer can get what they want.)

As I said "How does the keyboard connect? They wil always have access as long as the computer has a keyboard and monitor.

 

[amitdel]

Thanks @ChrisA

Appreciate the input about Bluetooth. On the windows machine; we disable bluetooth via software solutions.

Keyboards & Mouse connect via USB-A. It is possible to use ports for such accessories; charging etc; while simultaneously blocking them from mass storage devices using software solutions.

On the trust part; again; it could just be me and my family members working; but if I am a subcontractor with such a stipulation; I need to demonstrably be able to show that data cannot reasonably be taken out by workers at will. Of course nothing is 100% foolproof; but leaving a port directly open is a problem.

This is usually the case when you are handling financial data; and you are subject to self declarations and audits on your processes.

I am hopeful someone has any experience with reasonably priced ENDPOINT SECURITY solutions for macs.

Cheers

 

[ChrisA]

Thanks @ChrisA

Appreciate the input about Bluetooth. On the windows machine; we disable bluetooth via software solutions.

Keyboards & Mouse connect via USB-A. It is possible to use ports for such accessories; charging etc; while simultaneously blocking them from mass storage devices using software solutions.

On the trust part; again; it could just be me and my family members working; but if I am a subcontractor with such a stipulation; I need to demonstrably be able to show that data cannot reasonably be taken out by workers at will. Of course nothing is 100% foolproof; but leaving a port directly open is a problem.

This is usually the case when you are handling financial data; and you are subject to self declarations and audits on your processes.

I am hopeful someone has any experience with reasonably priced ENDPOINT SECURITY solutions for macs.

Cheers

I've been given more than one Mac that was completely locked down, the password was unknown, Apple ID unknown and the computer would not boot. It was basically a "brick"

It takes about 10 minutes to gain access to the data given the above starting point and no need to access USB ports.

The bottom line is that if the user has physical access to the keyboard, even a Macbook keyboard that can not be unplugged, then he has complete access to the computer no matter what software you install.

Yes, you can prevent access by unskilled people who don't know much, but not if the person knows what they are doing.

Desktop PCs can be locked down better as long as you place a padlock on the case o it can't physically opened. There is then no option but to cut the lock. A smart theif would then replace the lock with a new one of the same brand.

Software locks are like the lock on your house's front door. It keeps honest people out.

 

[Lihp8270]

I've been given more than one Mac that was completely locked down, the password was unknown, Apple ID unknown and the computer would not boot. It was basically a "brick"

It takes about 10 minutes to gain access to the data given the above starting point and no need to access USB ports.

The bottom line is that if the user has physical access to the keyboard, even a Macbook keyboard that can not be unplugged, then he has complete access to the computer no matter what software you install.

Yes, you can prevent access by unskilled people who don't know much, but not if the person knows what they are doing.

Desktop PCs can be locked down better as long as you place a padlock on the case o it can't physically opened. There is then no option but to cut the lock. A smart theif would then replace the lock with a new one of the same brand.

Software locks are like the lock on your house's front door. It keeps honest people out.

This is totally irrelevant if your client requires mass storage to be blocked.

It’s not necessarily about stopping everything and everybody. But about demonstrating you have a process to help mitigate the risk

 

[amitdel]

@ChrisA - True That. If a person is determined enough; no security is enough, and as I mentioned in my previous post, nothing is 100% foolproof.

However as @Lihp8270 elegantly puts it; in a restricted environment, I still need to show an auditor / client that a risk mitigation process is in place.

My research so far shows stuff like Crowdstrike (of which I have no experience). Would love inputs from folks if someone has done this. Pre-Ventura; you could apparently trash 2 system files to prevent USB mass storage from loading; but I guess it's no longer an option.

 

[jdb8167]

I've been given more than one Mac that was completely locked down, the password was unknown, Apple ID unknown and the computer would not boot. It was basically a "brick"

It takes about 10 minutes to gain access to the data given the above starting point and no need to access USB ports.

Maybe years ago but not on a modern Mac with a Secure Enclave. The data is encrypted via the SE and the user's password. You won't get past the recovery page without the password.

 

[jdb8167]

@ChrisA - True That. If a person is determined enough; no security is enough, and as I mentioned in my previous post, nothing is 100% foolproof.

However as @Lihp8270 says, in a restricted environment, I still need to follow a checklist to show that I have eliminated the obvious holes.

The best analogy I can think of is a vaccine : nothing will protect 100%; but I still take it to a) Get reasonable protection and b) signal that I am serious about the threat.

My research so far shows stuff like Crowdstrike (of which I have no experience). Would love inputs from folks if someone has done this. Pre-Ventura; you could apparently trash 2 system files to prevent USB mass storage from loading; but I guess it's no longer an option.

Unfortunately if the user has an iPhone they can just point their phone at a screen and iOS will convert any text on the screen to editable text and let the user save it on their phone or in the cloud. To be secure you would have to ban any outside device. Not sure how many people want to work in an environment like that.

 

[amitdel]

Unfortunately if the user has an iPhone they can just point their phone at a screen and iOS will convert any text on the screen to editable text and let the user save it on their phone or in the cloud. To be secure you would have to ban any outside device. Not sure how many people want to work in an environment like that.

True, or print out the data. Or take a photo for later OCR. That's why institutions like banks (and their subcontractors) ban camera phones on the floor; and have CCTV coverage.

Not sure if this is true in places like US / European banks as well (the cctv part), but I assume that's the case. The people who work in such environments know the sensitivity of the information they handle (as an example, say you have unmasked CC data, credit histories, medical records subject to HIPAA - stuff like that).

 

[mcnallym]

There are endpoint security solutions for Mac which allow lock down of usb ports so that can plug keyboard in for instance but not a usb storage key or external drives or dvd burners.

however one’s aware of are enterprise level so may not necessarily be what call cheap.

endpoint protector by cososys
harmony endpoint by checkpoint
crowdstrike which see someone else already mentioned.

they do have evaluation offerings so could try but certainly checkpoint isn’t what would call cheap.

where I work now has crowdstrike and before that worked at various checkpoint partners.

1st option aimed at smb as well so may be most suitable. Offers 30 day free trial and saas deployment so no need for onsite management. Never used it however maybe worth looking at.

 

[amitdel]

Thanks @mcnallym - this is very helpful. Will check these out.

 

[DearthnVader]

I would assume there would be a way to change permissions to mount any volume to root.

That would be the easiest way I could think of. That way they would need a admin password to mount an external volume.

Likely it would be the same for any *nix, so I'd look into that. Surely someone has done this with Linux boxes.

 

[DearthnVader]

I would assume there would be a way to change permissions to mount any volume to root.

That would be the easiest way I could think of. That way they would need a admin password to mount an external volume.

Likely it would be the same for any *nix, so I'd look into that. Surely someone has done this with Linux boxes.

Changing the permissions of /Volumes would seem to be half the answer, however it does not persist across reboots.

sudo chmod 700 /Volumes

You'll need some sort of script that runs durning startup.

 

[satcomer]

On you Mac Mini if your worried then turn on the built in Firewall included in new Ventura!

 

[NT1440]

Anyone can find a way to move information if he has physical access to the computer.

For example, how does the keyboard connect to the computer? It uses Bluetooth. So anyone who has access to the keyboard and mouse has access to Bluetooth.

That said, if you want to disable physical ports, the usual solution is epoxy. Place epoxy in the hole and let it harden, and the port will never again be usable.

The only solution is to only hire people you can trust.

(Yes on Windows PC there is some software, but it only makes you feel good. Anyone with physical access to the computer can get what they want.)

As I said "How does the keyboard connect? They wil always have access as long as the computer has a keyboard and monitor.

That’s not how corporate compliance works though. You have to demonstrate the inability to do X or Y. Trust should never be part of your security footing at a company.