Share via

How do you successfully create policy to allow USB read-only access in MacOS while having the policy that blocking it

resecurity 0 Reputation points
2025-08-26T03:19:09.7933333+00:00

We have a policy that block USB access for all MacOS devices. But recently one user requested to have access to her usb hard drive. Therefore i have tried to created a policy in intune to allow USB read-only access.

  1. I excluded the targeted device from the macOS grouping that are assigned to USB blocking policy by created another grouping that allows USB.
  2. I assign the new group to the Allow usb read-only policy.

After syncing the device i tested it and find that the device cannot mounts the hard drive.

I then check from terminal that the device still has the usb blocking policy.

I use chatgpt and it suggested to create a shell script policy that will remove the blocking policy without interfering with the grouping in the blocking policy.

After created the shell script the blocking policy is removed but still the external hard disk still cannot be mounted.

I hope my explanation is clear and can easily be understood.

Microsoft Security | Intune | Microsoft Intune MacOs
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Prathista Ilango 435 Reputation points Microsoft Employee
    2025-10-08T11:25:20.7733333+00:00

    Hello resecurity,

    Before making any manual modifications (not recommended), here are a few things to verify:

    1. Check device exclusion logic • If you’ve excluded the device using a group (i.e., added the device to a group and set that group under Exclusions in policy assignments), consider using filters instead. • When using dynamic groups, membership updates can take time to propagate. This delay may cause temporary policy conflicts, especially when multiple USB control policies are involved.
    2. Verify configuration in the Intune portal • Go to Devices → macOS → [Select the device] → Device configuration. • Ideally, only the allow policy should appear here. • If you see both allow and block policies, the device is experiencing a policy conflict, and Intune will apply the most restrictive action — in this case, block.

    Double-check the assigned groups, exclusions, and filters to ensure they’re configured correctly and that the device is properly targeted or excluded as intended.

    Hope this helps!

    If you found the information above helpful, please Click Yes. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.