Device Control

Copy current article URL Share via email

This article (PDF) Whole documentation (PDF)

Device control is used to monitor and manage external devices connected to your Mac. It allows you to control access to USB drives, external storage, and other peripherals to protect your data and reduce security risks.

Rules

Rules allow you to control access to external devices by allowing or blocking them. You can customize them based on user, user group, or device type for precise management.

Rules Editor

The device control rules editor window displays existing rules and allows for precise control of external devices that users connect to the computer. The list of rules contains several descriptions of a rule such as name, type of external device, action to perform after connecting an external device to your computer and log severity. Rules are listed in order of priority with higher-priority rules closer to the top. Rules can be reordered by user.

Adding or editing a rule

Right-click anywhere in the Rules Editor window and select Add from the context menu. To edit an existing rule, select the rule, right-click it and select Edit from the context menu. Each rule has its specifications defined such as Name, Actions to be taken when applying the rule, Device Type and Users or User Groups to which the rule applies.

Name

Choose a name for the rule to distinguish it from other rules.

Actions

The choices of actions defined for specific rules are Allow unrestricted access to device, Block all access to device or Block data writing to device. Within actions you also need to define Log rule, and the choices are to Log all events, Log only errors and warnings or Do not log any events. In case one of the rules blocks access to device you can choose to still get a notification by switching the toggle next to Show notification if device access is blocked by a rule.

Device Type

Type

Select Type to be All device types, Disk storage or CD/DVD.

Manufacturer

Clicking on the Manufacturer field opens up a new window where you can specify if the rule should be applied to a Single device or Group of devices. For easier device identification, use the Populate button to list all devices currently connected to your Mac.

Users

This setting manages to which Users or User Groups the device control rule applies. You can add existing macOS users or user groups, or create new ones. If you disable the rule for a non-existing macOS user or user group, the user or users will be removed from the rule when changes are saved.

Device groups

Device groups allow you to manage multiple devices as a single group. By grouping devices under a shared name, you can apply the same device control rule to all of them to simplify access management.

˄˅