Persistently disabling USB Mass Storage on Mac OS X

Last Update: Jan 09, 2022

We recently had a requirement to disable USB mass storage devices on a Mac OS X Yosemite machine and to ensure that it remained permanently disabled.

On Yosemite USB mass storage is controlled by the kernel extension file /System/Library/Extensions/IOUSBMassStorageClass.kext

We decided on using a persistent launchd service to achieve this. First we created a disable.usb.persistent.plist file with the following contents:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>disable.usb.persistent</string>
<key>ProgramArguments</key>
<array>
<string>kextunload</string>
<string>/System/Library/Extensions/IOUSBMassStorageClass.kext</string>
</array>
<key>UserName</key>
<string>root</string>
<key>StartInterval</key>
<integer>30</integer>
</dict>
</plist>

Essentially what we’re doing is telling Mac OS X to execute every 30 seconds as the root user and run the command:

kextunload /System/Library/Extensions/IOUSBMassStorageClass.kext

This ensures that the kernel will forcefully remove and prevent any USB mass storage devices.

Next, we perform the following steps:

sudo cp disable.usb.persistent.plist /Library/LaunchDaemons/
sudo chown root:wheel /Library/LaunchDaemons/disable.usb.persistent.plist
sudo chmod 644 /Library/LaunchDaemons/disable.usb.persistent.plist
sudo launchctl load -w /Library/LaunchDaemons/disable.usb.persistent.plist
sudo launchctl start disable.usb.persistent

Here we are copying the service to an appropriate directory, setting secure permissions for it and telling Mac OS to load the service and execute it.

Now, we have a service that will effectively run every 30 seconds with the command we’ve given it, thus ensuring persistent disabling of USB mass storage.