---
title: "Removable Media Blocking | Workshop"
description: "Workshop pushes USB, FireWire, and network mount policy to every Mac in your fleet and prevents unauthorized data transfer."
doc_version: "1"
last_updated: "2026-05-22"
canonical: "https://northpole.security/features/removable-media-blocking"
---
![](https://northpole.security/images/workshop/figma/hero-bg.png)

# Block data exfiltration via removable media

Workshop pushes USB, FireWire, and network mount policy to every Mac in your fleet and prevents unauthorized data transfer.

[Book a demo](https://northpole.typeform.com/to/SG9jCi0v) [View documentation](https://northpole.security/docs/workshop)

 ![Workshop removable media blocking dashboard](https://northpole.security/_astro/hero.BrfNOZS5_ZK2xSK.png)

![](https://northpole.security/images/workshop/figma/snow-corner-tr.png) ![](https://northpole.security/images/workshop/figma/snow-floor.png)

Capabilities

## Santa's media control options

Three layers of removable media policy, all configured from Workshop and pushed instantly to every Mac in your fleet.

### Block USB and FireWire

Prevent any removable or ejectable storage from mounting. Covers USB flash drives, USB4 NVMe SSDs, FireWire and Thunderbolt disks, and SD cards in built-in readers. Decisions happen at the Disk Arbitration layer, so unauthorized devices never expose a filesystem to userspace. Workshop pushes the setting instantly via APNS, no MDM round-trip.

### Force read-only

Allow mounting but remount with rdonly, nosuid, and noexec flags. Users can read files from removable media but cannot write, execute, or copy data out. Useful for receiving files from contractors or customers without giving up egress control. Toggle it per-tag in Workshop so finance can be stricter than engineering.

### Block network mounts

Block mounting of SMB, NFS, and AFP network shares at the kernel level. Stops attackers and insiders from mounting arbitrary file servers to exfiltrate data or stage payloads. Managed from the same Workshop configuration as USB controls, with every mount attempt logged to the events pipeline.

User experience

## Clear user notifications

When a device is blocked, users see a native macOS notification explaining why and who to contact. No mystery failures, no support tickets asking why a drive will not work. Every block also streams to Workshop's events view so your security team sees the attempt in real time.

-   ### Native macOS
    
    Blocks surface as standard system notifications, not a custom popup. Users see them in the same place they see every other macOS alert.
    
-   ### Custom message
    
    Tailor the body text per fleet or per tag so users know exactly what was blocked and what to do next. No mystery failures or support tickets.
    
-   ### Direct to admin contact
    
    Include the admin or helpdesk contact right in the notification. Users can reach the right person in seconds, and every block streams to Workshop in real time.
    

Modes

## Flexible configuration

Roll out removable media policy the same way you roll out binary rules: start in audit, review events, then tighten per-tag or per-fleet when you are ready.

### Complete block

USB and SD devices cannot mount at all. The user sees a native macOS notification explaining why and who to contact. Best for high-security environments and compliance-driven fleets.

### Read-only mode

USB and SD devices mount as read-only. Users can read files from external media but cannot write or copy data to the device. Best for environments that need read access for inbound files but no egress.

### Audit only

All USB and SD operations are logged but not blocked. Use this to baseline your environment before enforcement and understand which devices users actually rely on. Best for initial deployment.

Use cases

## Where teams use it

### Prevent data theft

Block employees from copying sensitive data to USB drives. Stop insider threats and accidental data leaks with a control that runs entirely on the endpoint.

### Meet compliance requirements

Many compliance frameworks require removable media controls. Workshop's blocking helps satisfy NIST, PCI-DSS, HIPAA, and other framework requirements.

### Secure environments

Air-gapped fleets, trading floors, secure research labs. Anywhere removable media poses a risk, Workshop gives you a single switch to lock it down.

## Removable media blocking is part of Workshop

Pair it with binary authorization, approval workflows, and rich telemetry to protect every layer of your fleet.

[Book a demo](https://northpole.typeform.com/to/SG9jCi0v)

[

### File access authorization

Control which apps can read or write specific files and directories.

](https://northpole.security/features/file-access-authorization)[

### Telemetry

Stream every execution, mount, and policy event into your SIEM.

](https://northpole.security/features/telemetry)[

### Santa

The open source endpoint authorization engine that powers Workshop.

](https://northpole.security/santa)

## Sitemap

- [Home](https://northpole.security/index.md)
- [Workshop](https://northpole.security/workshop.md)
- [Santa](https://northpole.security/santa.md)
- [Features](https://northpole.security/features.md)
- [Cookbook](https://northpole.security/cookbook.md)
- [Docs](https://northpole.security/docs.md)
- [Blog](https://northpole.security/blog.md)
- [Glossary](https://northpole.security/glossary.md)
- [About](https://northpole.security/about.md)
- [Contact](https://northpole.security/contact.md)