Learn how to configure the Accessory & Storage Access Library Item
Kandji's Accessory & Storage Access Library Item allows you, as the device or security administrator, to define access privileges and controls for external storage volumes, server volumes, and DMG file types on Mac computers.
To use this Library Item, the Endpoint Detection & Response add-on is necessary. However, you do not need to assign the Avert Library Item to the device Blueprint in order to deploy this Library Item.
- Add an Accessory & Storage Access Library Item
- External volumes
- Disk images
- Server Volumes
- Restricted Mode on Apple Silicon
Add an Accessory & Storage Access Library Item
- Navigate to Library in the left-hand navigation bar.
- Click Add New on the top-right, and choose Accessory & Storage Access.
- Click Add & Configure.
- Give the new Accessory & Storage Access Library Item a Name.
- Assign to your desired Assignment Maps or Classic Blueprints.
- Optionally, configure Assignment Rules for Classic Blueprints.
External volumes
The External volumes section allows you to manage access privileges for external storage devices such as USB, CD, and DVD drives connected to the accessory port and memory cards (SD, SDXC) inserted in the SD card slot. To manage access for external volumes, follow the steps below.
The Require encryption and Require admin password to access settings are only available for Read & Write and Read only access privileges.
- Turn on management for external volumes.
- From the Access privileges menu, select the desired access privileges for external volumes. The available options are: Read & Write, Read only, or No access.
- Optionally, select Require encryption to ensure only encrypted volumes are mounted. For information about using Disk Utility to encrypt storage devices, see this Apple support article.
- Optionally, select Require admin password to access to prompt users for an admin password to access content.
- Select All users to apply the access privileges to all users, including admin, or select Standard users to apply the access privileges only to standard users.
- Optionally, select Display alert messages to alert users when the mounting of external volumes are blocked. Note, this setting is forced on when Require admin password to access is selected.
Disk images
The Disk images section allows you to manage access privileges for DMG file types. To manage access for disk images, follow the steps below. Disk image settings specified here will apply to all DMG mounts on the device, including those in scripted automated workflows and in-app DMG mounts such as Google Chrome's Auto Update Agent.
The Require admin password to access setting is only available for Read & Write and Read only access privileges.
- Turn on management for disk images.
- The Access privileges menu allows you to select the desired access privileges for disk images. The available options are: Read & Write, Read only, or No access.
- Optionally, select Require admin password to access to prompt users for an admin password to access content.
- Select All users to apply the access privileges to all users, including admin, or select Standard users to apply the access privileges only to standard users.
- Optionally, select Display alert messages to alert users when the mounting of disk images is blocked. Note, this setting is forced on when Require admin password to access is selected.
Server Volumes
The Server volumes section allows you to manage access privileges for server volume mounts such as SMB shares. To manage access for server volumes, follow the steps below.
Any external, server and DMG volumes previously mounted on the device prior to the deployment of this Library Item will not be managed by Kandji until these items are unmounted and a re-mount is attempted.
- Turn on management for server volumes.
- Choose the desired access privileges for disk images from the Access privileges menu. The available options are: Read & Write or No access.
- Select All users to apply the access privileges to all users, including admin, or select Standard users to apply the access privileges only to standard users.
- Optionally, select Display alert messages to display alert messages to users when the mounting of external volumes is blocked.
- Click the Save button to save the Accessory & Storage Library Item to your Library.
Restricted Mode on Apple Silicon
On a Mac with Apple silicon running macOS 13+ and depending on the device's Privacy & Security settings, when new or unknown USB accessories are used, the user may get an alert asking whether or not the USB accessory should be allowed to connect. This is known as Restricted Mode on macOS and is independent of Device alert settings in this Library Item. Restricted Mode can be managed with the Allow USB accessories while device is locked setting in the Restrictions Library item. See this Apple support article for more details.