What is macOS Ventura’s accessory security?

Apple’s recent release of macOS Ventura adds extra security for USB and Thunderbolt accessories inserted into your computer.

November 2 2022 by

Hannah Bien

Hub plugged into a Macbook

In 2008, an employee of the US Department of Defense picked up an innocuous looking USB flash drive in the parking lot of one of their facilities. This device was plugged into a laptop connected to the United States Central Command’s network, where it spread malware undetected on US military systems containing both unclassified and classified information. It took over a year to remove the backdoor that allowed foreign entities to read US data, leading to a total overhaul of the US government’s cybersecurity policy.

Clearly, a rogue accessory can wreak havoc on even the most advanced systems. Despite the general move to cloud software and storage, hardware accessory security is still a relevant issue today for us and our organizations; hardware accessories are still used as a means for exploit. That’s why macOS Ventura includes another layer of accessory security.

What is accessory security coming with macOS Ventura?

Simply put, accessory security puts up a gate when USB or Thunderbolt devices are connected to your computer. Upon user approval, the device then is able to access your Mac. There are multiple settings for how Ventura handles accessories while your computer is unlocked:

  • Ask for permission every time (most secure)
  • Ask for new devices (default setting)
  • Automatically grant permission when unlocked
  • Never ask (least secure)

When a Mac is locked, you are required to unlock to approve any new accessories while previously-approved ones maintain permission for up to 3 days. This feature applies to Mac laptops with Apple silicon. Power adapters, standalone displays and connections to a previously-approved hub do not require approval. Accessories plugged in but not approved are still able to charge.

Using USB Restricted Mode in macOS Ventura

For your personal devices it may not be necessary for you to require permission every time a device is inserted—instead, you can keep the default setting, only requiring permission for new devices. For company devices enrolled in an MDM solution, this feature can be toggled by using the allowUSBRestrictedMode restriction. This restriction can also be used with iOS devices and has been available for iOS since iOS 12.

As always, Jamf offers same-day support for Apple’s newest operating systems. Upgrade your fleet to Ventura to take advantage of this new security feature.

For a walkthough of how to upgrade to Ventura, check out our upgrade guide.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.