Jamf Protect's built-in Analytic that monitors USB insertions on computers can be customized to monitor specific USB drives for your organization. You can configure the Analytic to detect specific USB drive attributes, such as the vendor, product name, and serial number. For example, if your organization only allows SanDisk USB drives to be used, you can customize the USB insertion Analytic to monitor for non-SanDisk USB drives.
The below command does the job, dmesg Example: 9196.128103 usb 1-1.2: Product: Cruzer Glide 9196.128107 usb 1-1.2: Manufacturer: SanDisk 9196.128110 usb 1-1.2: SerialNumber: 9196.203755 usb-storage 1-1.2:1.0: USB Mass Storage device detected 9196.203866 scsi7: usb-storage 1-1.2:1.0 9196.203985 usbcore: registered new interface driver usb-storage 9197. Sandisk, Cruzer, 4GB thumb drive, bearing serial number SDCZ36W004GBH1107WRIB; i. Sandisk, Glide, 32GB thumb drive, bearing serial number.
If you use Jamf Protect and Jamf Pro, you can configure an Analytic action to change the membership of a smart computer group in response to an Analytic.
If configured, Jamf Protect will populate an extension attribute when a threat is detected, which a smart group in Jamf Pro will read and then change the membership of the smart group. Jamf Pro administrators can then identify computers in the smart group and remediate the threat. In addition, you can run a script using a policy in Jamf Pro to display an alert to end users.
In Jamf Protect, click Analytics.
Search for and select the 'USBInserted' Analytic.
In the Analytic Summary pane, click Copy.
Enter a name in the Analytic Name field.
In the Analytic Filter section, edit the predicate logic for your organization. The following example can be used as a starting point to edit predicate logic:
$event.type 0 AND $event.device.removable 1 AND $event.device.writable 1 AND $event.device.vendorName != 'SanDisk' AND $event.device.productName != 'Cruzer Glide' AND NOT $event.device.serialNumber MATCHES 'ABC[0-9][0-9]'
This example monitors for any USB drive that does not have the following attributes:
Vendor—SanDisk
Product Name—Cruze Glide
Serial Number—Between ABC00 and ABC99
For more information about additional USB attributes that can be used, click Documentation > Device in the Jamf Protect web app.
Configure the Analytic Actions section.
(Optional) Select the Add to Jamf Pro Smart Group checkbox and enter a value to populate a Jamf Protect extension attribute in the Identifier, if you want to use Jamf Pro to remediate USB detections.
Note: This value must match the Value field defined in your Jamf Protect extension attribute in Jamf Pro.
Click Save.
Your custom USB insertion Analytic will now monitor for custom USB attributes and trigger an action. If you selected Add To Jamf Pro Smart Group as an Analytic action, continue to step 2 in this section.
Sandisk Cruzer Glide Serial Number Lookup
For instructions on how to create an extension attribute, follow the steps under 'Creating a Computer Extension Attribute from a Template' in the Computer Extension Attributes section in the Jamf Pro Administrator's Guide.
Depending on which version of Jamf Pro you use, consider the following:
If using Jamf Pro 10.19.0 or later, click New From Template and enter 'Jamf Protect Smart Groups' in the search bar to find the correct template.
If using Jamf Pro 10.18.0 or earlier, click New, choose 'Script' from the Input Type pop-up menu, and then enter the following:
#!/bin/bash
SMARTGROUPS_DIR=/Library/Application Support/JamfProtect/groups
if [ -d '$SMARTGROUPS_DIR' ]; then
SMART_GROUPS=`/bin/ls '$SMARTGROUPS_DIR' | tr 'n' ','`
echo '<result>${SMART_GROUPS%?}</result>'
else
echo '<result></result>'
fiexit 0
In Jamf Pro, create a smart computer group that will use the Jamf Protect smart group to control group membership in response to an Analytic:
Sandisk Cruzer Glide Serial Number Decoder
In Jamf Pro, click Computers.
Click Smart Computer Groups.
Click New.
On the Computer Groups tab, configure basic settings and email notification preferences.
On the Criteria tab, click Add > Show Advanced Criteria.
Choose the Jamf Protect extension attribute you previously created.
Configure the Operator and Value fields similar to the following:
Note: The Value field defines the value that a Jamf Protect Analytic will use to populate the extension attribute. This value should match the Identifier field in Jamf Protect.
Click Save.
Using Jamf Pro and Jamf Helper, you can create a script that will alert end users if Jamf Protect detects a threat on their computer. This script can run by a custom trigger using a policy in Jamf Pro.
Adding a Script to Jamf Pro
In Jamf Pro, click Settings.
Click Computer Management > Scripts and click New.
On the General tab, configure basic information about the script.
Click the Script tab and enter script contents similar to the following example:
'/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper' -windowType hud -title 'Possible Malicious Application' -heading 'Malware Detected' -alignHeading natural -description 'Your computer may be infected with malware. Contact your IT administrator immediately.' -alignDescription natural -icon '/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns' -button1 Ok -alignCountdown center -lockHUD
When triggered, the script will display an alert similar to the following:
(Optional) Click the Options and Limitations tabs to configure additional settings.
Click Save.
Creating a Policy to Run the Script
Sandisk Cruzer Glide Serial Numbers
In Jamf Pro, navigate to Computers > Policies and click New.
Use the General payload to configure basic settings for the policy, including the following trigger and execution frequency settings:
For the trigger, select Custom and then enter 'protect' in Custom Event field.
Select 'Ongoing' from the Execution Frequency pop-up menu.
(Recommended) Select Make Available Offline.
Select the Scripts payload and click Configure.
Add the previously created Jamf Protect script and configure settings for the script.
Click the Scope tab and configure the scope of the policy to include the previously created smart group in Jamf Pro.
Click Save.
When detected, the custom USB insertion Analytic will now do the following:
Populate an extension attribute
Change the smart computer group membership in Jamf Pro in response to the extension attribute value
Display an alert to end users, if configured
Sandisk Cruzer Glide Serial Number Key
For related information, see the following sections of this guide: