Log and audit external storage devices with Mac telemetry from Jamf

Removable storage devices—like USB drives, flash sticks, and external hard disks—might seem routine, but they can introduce real compliance and security risks if not properly managed. They're used every day—sometimes by design, sometimes without approval—and often without much visibility.

From a compliance perspective, many industry standards require organizations to implement and monitor controls around physical media. From a security standpoint, removable storage remains one of the most common (and often overlooked) vectors for data exfiltration, malware delivery or policy violations. And without clear records of what was connected, when, and by whom, it’s nearly impossible to audit usage or investigate incidents thoroughly.

To help security and IT teams stay ahead of these challenges, we’ve enhanced Jamf Protect's Mac telemetry to include detailed hardware device information in events a removable storage device being connected. This added context gives you a clearer view of what’s happening on your endpoints—without adding complexity or overhead.

Note: This enhancement is currently available with Jamf Protect v6.4.1.

Why This Matters

Compliance and audit readiness

ISO 27001, HIPAA, and other common security standards require organizations to implement and monitor controls around physical media. With this enhanced telemetry, you can more easily demonstrate enforcement and oversight of removable storage activity.

Security investigations

If a security event involves file transfers, unauthorized data access, or an unknown USB device being plugged in, knowing which device was involved—and where else it’s been used—can speed up investigations significantly.

Device Control policy management

Jamf Protect’s Device Control feature lets you block or limit usage of USB drives and other removable storage devices, helping prevent unsanctioned hardware access. Now, with this expanded telemetry, you can validate policy effectiveness and make informed decisions about how to adjust or extend your controls.

Quick Recap: Mac Telemetry in Jamf Protect.

Jamf's Mac Endpoint Telemetry feature provides rich, native macOS event data—sent to your SIEM, cloud storage or a local log—for compliance logging, security investigations and operationalizing IT. It’s built on Apple’s Endpoint Security API for efficiency and depth, capturing system, user and process activity across your Mac fleet.

Until now, when a removable storage device was used, telemetry included information about the volume that was mounted (e.g., mount path, file system format, and owner). With this update, you’ll also see detailed metadata about the physical hardware device behind the file system.

What’s New: Hardware-Level Device Metadata

When a removable storage device is connected, Jamf Protect now captures a full set of details about the underlying hardware. These fields appear in mount, unmount, and remount telemetry events and are available alongside the existing volume-level details.

New: Hardware Device Metadata

Here’s a sample of the new fields now included:

Note: This is just a subset of available fields. For the full list, please refer to the Jamf Protect Telemetry data model documentation (requires Jamf ID sign-in).

Real-World Examples: What Telemetry Looks Like

Below are two sample scenarios showing what Jamf Protect telemetry can capture when a removable storage device is connected—including both the original volume-level details and the newly added hardware metadata.

These examples show just a snapshot of the most relevant fields for visibility and investigation.

These examples highlight how much richer and more actionable your telemetry becomes. What was once a simple “volume mounted” event is now a detailed fingerprint of the physical device, ready to drive better visibility, enforcement and investigations.

Example Use-Cases with Splunk

Here are a few sample use cases with Splunk queries to help you get started:

Tip: Make sure you're running the latest version of the Jamf Protect add-on for Splunk to use these queries.

List all removable devices connected in your environment

Returns a list of unique removable storage devices mounted across your fleet, including product name and encryption status

Show all unencrypted removable storage devices connected in your environment

Identifies all instances of unencrypted removable devices being used, with host context.

See all computers that connected to a specific removable storage device

Trace a known device across your fleet to see when and where it was connected.

What You Need to Do

This update is now live in Jamf Protect for all customers with telemetry enabled. To take advantage of it:

1. Make sure your deployment has telemetry turned on.
2. Confirm you're running the latest version of Jamf’s officially supported SIEM add-ons to ensure proper parsing and visibility.
3. Review your Device Control policies to see how this new context can support your enforcement goals.

More visibility + more context = better outcomes.

This update is part of our ongoing mission to give you deeper insight into macOS activity—without complexity. Stay tuned for more updates, and as always, we welcome your feedback.