Block USB/TB ethernet adapters from being used on another computer

ianmb
Contributor

Is there a way to do this in the JSS? I'm aware there is an option to ignore these completely using the MAC address. However in our shop, users have a requirement to use either USB or Thunderbolt Ethernet adapters on their MacBooks but we don't want a situation where people can share them around and use them on other MacBooks.

This has happened in the past before we started using Casper for our Mac Management, i.e. when Macs were self-managed.

1 ACCEPTED SOLUTION

franton
Valued Contributor III

Couple things:

1) Casper 9 uses the UUID of the computer for identification rather than a MAC address.
2) There's no way of doing what you ask. The MAC address is stored in the adaptor itself rather than on the computer.

View solution in original post

7 REPLIES 7

AVmcclint
Honored Contributor

I don't have a solution for you, but I am curious about this restriction. Why would you want to restrict what adapters are used?

roiegat
Contributor III

Maybe the MAC address is being used to register the machine and it keeps thinking it's the same machine on a different MAC. But that should have been solved awhile ago since it now uses two MAC Addresses for machines.

But instead of blocking the ethernet adapater, you can add it to the removable devices list. Go go Computers->Management Settings->Removable MAC address and add the address of the ethernet device there.

psliequ
Contributor III

I would suggest looking at your switches to see if they provide layer 3 management. If they do, you can restrict which MAC addresses are allowed to use which ports. That's the most effective route. If that's not possible, the only method that comes to mind via Casper is to create a unique policy per computer which runs during your check-in. That policy could check the MAC address of the connected adaptor against a string that contains the 'correct' MAC address. If there's a mismatch, the policy could run networksetup to disable the interface. There are many problems with that approach. In the time it takes to identify a mismatch a user could use the network for as long as your check-in interval is. There are many opportunities for data entry mistakes with this approach too. Have a look at the switch configuration route first :)

alexjdale
Valued Contributor III

I can't think of any way to do what you are asking, which is basically to stop the OS from performing a pretty low-level function. What you are asking will interfere with your ability to manage your computers and negatively impact your users. I can't think of any reason that would justify that approach.

I think you'd be better off looking at why you don't want users to share adapters and try to tackle that instead, so that sharing wouldn't be a problem in your environment.

franton
Valued Contributor III

Couple things:

1) Casper 9 uses the UUID of the computer for identification rather than a MAC address.
2) There's no way of doing what you ask. The MAC address is stored in the adaptor itself rather than on the computer.

Look
Valued Contributor III

There are bound to be ways of achieving this, but none of them will be very nice, better to find a reason not to need to.
What is the underlying reason for the restriction?
Also it gets further complicated when you start throwing in shared desks and things like shared Apple monitors with ethernet built in.

ianmb
Contributor

Thanks all for the insight. I'm fairly new to Casper and thought we might get into a real mess if this was to occur when all of our Macs are enrolled into Casper.

@franton I wasn't aware that the UUID was used in preference to the MAC address, good to know!