How to disable the USB ports on a MacBook for compliance and security purposes?

mustafa_gulzar wrote:

If we had intel macs, it would have been quite simple as I could deploy a script which would remove the kernel responsible for USB mass storage.

Which would have been an unsupported hack.

As far as supported features went, Intel-based Mac notebooks never had locked-down USB ports. The feature that the Support article describes is new to Apple Silicon Mac notebooks, and probably came as an unpleasant surprise to most customers.

An MDM that would allow blocking of USB ports is highly unlikely to be free and would almost certainly need to be set up by your company's IT group; it's not something an individual user can in practicality implement. One such that says it can provide control is Endpoint Protector:

https://www.endpointprotector.com/

Pricing is not immediately available and probably depends on the number of licenses purchased. Short of serious hacking of macOS, I don't know of any other solution.

Regards.

If you are a regular non-IT employee, then it sounds like your company needs to provide employees with laptops with this already configured. Any configurations that a regular employee makes to do this is a joke, because that same person can undo the change at any time.

If you are an IT employee tasked with implementing these changes, then you will need to purchase laptops where these changes can be implemented without the users being able to re-enable those features. Usually many of those configuration changes require the use of some sort of centralized management system (aka MDM).

FYI, if you allow certain features to exist when using a port, then there is still the possibility of someone getting around any partial use restrictions for those ports. The only sure way to lock down a port is to have it completely disabled. I have seen so many ways that something can get through a "blockade" that you will never even see many of them as a possibility. Besides a carefully crafted USB device can get past many security measures to gain access to a system...most of them will require targeting a specific user or business, but I have seen it happen with a locked MBPro (a co-worker who deals with security showed it to me a few years ago).

You either go all in on restricting access (that is not 100% guaranteed0, or you will leave openings for methods of bypassing security restrictions.

@Servant of Cats has provided great options for the M-series Macs. I don't think any MDM's are free. Another popular MDM is Jamf.

Also, to prevent transfers from mobile devices, then you will need to prevent access to AppleIDs and such.

If you are using a Mac notebook with an Apple Silicon (M-series) processor, that is running Ventura or later, there is this feature.

If your Mac asks you to allow an accessory to connect - Apple Support

"You need to allow new USB or Thunderbolt accessories and SD cards to connect before you can use them with your Mac laptop computer with Apple silicon." (unless you set your Privacy & Security Settings otherwise)

Use the ports on your Mac - Apple Support

"If you have a Mac laptop with Apple silicon, you have to approve new USB or Thunderbolt devices and SD cards that you connect to your Mac. If you choose Allow, the accessory allows both power and data transmission. If you choose Don’t Allow, the accessory can still charge, but no data is transmitted."