Category Filter

How to configure Media management settings for macOS devices?

Data security is one of the prime concerns in a business environment. Data stored on a corporate device should be maintained safely, and the organization should control access to corporate content in every possible way. Hexnode enables you to configure advanced settings for media usage for external drives, internal drives, and optical media on macOS devices. You can determine whether to allow/deny media use or only if the authenticated users can use the media. Denying media usage prevents it from being mounted and restricts data transfer from the devices. This helps to maintain the data secure from unauthorized access.

Notes:

  • This feature is supported on macOS 10.13.6+.

Configure advanced settings for media usage on macOS devices

  1. Login to your Hexnode MDM portal.
  2. Navigate to Policies > New Policy. Assign a suitable name and description (optional) for the policy. You can also choose to continue with an existing policy.
  3. Go to macOS > Security > Media Management. Click Configure.
  4. External Media

    You can manage the use of external media devices such as SD cards, USB flash drives or other external mountable media on Mac.

    Settings Description
    Allow all use of external media Enable the option to allow the use of all types of external media.
    Deny all use of external media Choose this option to disallow the use of all the external media. Users cannot mount any external media, thus preventing data transfer to/from the device using the media.
    Allow use of external media after authentication with admin credentials Select this option to allow the use of external media only after authenticating the user with the admin credentials. It generates a prompt for user authentication with admin credentials as the user mounts an external media in case of a ‘Standard’ user account. Once authenticated, it will be valid throughout the active login session of the account. No user authentication is required if the user is already logged in to the ‘Administrator’ account.
    Allow use of external media as read only Enable the option to allow the use of external media as read-only. Thus, the media is mounted as a read-only device, and the user cannot copy files from Mac to the external media. This setting does not affect the transfer of data from the external media to the macOS device.
    Allow use of external media as read only after authentication with admin credentials Enable the option to allow external media to be read-only after authentication with admin credentials for a ‘Standard’ user account. Once authenticated, it will be valid throughout the active login session of the user account. No user authentication is required if the user is already logged in to the ‘Administrator’ account.

    Note:


    Despite the configured option, mobile devices can connect with Mac if third-party apps are used to establish the connection (for example, Android File Transfer Agent).



    Internal Media

    The Disk Utility service on macOS devices helps users to manage the internal/external storage media. Apple File System (APFS) enables disk space allocation on demand for managing the internal/external storage, and you can add/delete/erase volumes or even partition the Disk Utility. Hexnode helps you determine whether the users can use the internal storage disks or partitions (excluding the macOS system volume) using the Disk Utility app. You can select any one of the following options to manage the use of internal media or partitions.

    Settings Description
    Allow all use of internal media or partition Enable the option to allow the use of internal media or partition.
    Deny all use of internal media or partition Select the option to disallow the use of internal media or partition. The user cannot mount the internal media or partition when the option is selected. Data stored in the internal media can be accessed only if the corresponding volume or partition is mounted with Disk Utility. Thus, the user is prevented from accessing the data stored in the internal media or partition.
    Allow use of internal media or partition after authentication with admin credentials Enable the option to allow internal media or partition only after authenticating the user with the admin credentials. If this option is selected, a prompt for user authentication with admin credentials is generated for a ‘Standard’ user account as the user mounts an internal media or partition. Once authenticated, it will be valid throughout the active login session of the account. No user authentication is required if the user is already logged in to the ‘Administrator’ account.
    Allow use of internal media or partition as read only Choose the option to allow the use of internal media or partition as read-only. If enabled, the user cannot copy content among volumes in the internal media or partitions.
    Allow use of internal media or partition as read only after authentication with admin credentials Enable the option to allow internal media or partition as read-only after authentication with admin credentials for a ‘Standard’ user account. Once authenticated, it will be valid throughout the active login session of the user account. No user authentication is required if the user is already logged in to the ‘Administrator’ account.


    Disk Image

    You can determine whether to allow or deny the use of disk images such as .dmg, .sparsebundle, .sparseimage, or .cdr or any other images on the devices.

    Settings Description
    Allow all use of disk images Select the option to permit the use of disk images.
    Deny all use of disk images Enable the option to deny the use of disk images
    Note:


    When the use of disk images is denied, the installation of in-house apps uploaded using DMG files will also be prevented.


    Optical Media

    Optical media like CDs, DVDs, and Blu-ray can be controlled if the organization wants to safeguard the data stored on the devices. You can specify how the optical media is to be used by choosing any one of the following settings.

    Settings Description
    Allow all use of optical media Enable the option to permit the use of all the optical media on Mac.
    Deny all use of optical media Choose the option to disallow the use of optical media. All forms of optical media will be prevented from being mounted if the option is chosen.
    Allow use of optical media after authentication with admin credentials Enable the option to allow optical media only after authenticating the user with the admin credentials. If this option is selected, a prompt for user authentication with admin credentials is raised for a ‘Standard’ user account as the user mounts an optical media. Once authenticated, it will be valid throughout the active login session of the account. No user authentication is required if the user is already logged in to the ‘Administrator’ account.
    Allow use of optical media as read only Select the option to allow the use of optical media as read-only. If enabled, the optical media is mounted as a read-only device, and the user cannot copy files from Mac to it. This setting does not affect the transfer of data from the optical media to the macOS device.
    Allow use of optical media as read only after authentication with admin credentials Enable the option to allow optical media as read-only after authentication with admin credentials for a ‘Standard’ user account. Once authenticated, it will be valid throughout the active login session of the user account. No user authentication is required if the user is already logged in to the ‘Administrator’ account.

  5. Click Save.

Associate the Policy with target devices

  1. Go to Policy targets, click on Devices/Device Groups/Users/User Groups/Domains.
  2. Click on +Add Devices.
  3. Select the required Devices/Device Groups/Users/User Groups/Domains. Click OK.
  4. Click on Save to apply the policies to devices.

If the policy has been saved, you can associate it with the devices using another method.

  1. From Policies, check the policies to be associated.
  2. Click on Manage > Associate targets. Select the Device/Device Group/Users/User Groups/Domains.
  3. Click on Associate to apply the policy to the devices.