I'm working on a system management tool that should be able to Allow/Deny mass storage and portable devices.
In case if it is a USB flash drive I can detect Mount events using Endpoint Security framework. Then using IOServiceGetMatchingServices
I can find the actual device that is trying to mount new volume, check if it is an allowed device and Allow or Deny mount.
But in case if it is an iPhone/iPad or Android device I can't rely on that solution as they don't mount new volumes but user can copy files to the phone. To cover this case I could respond with Deny for the ES_EVENT_TYPE_AUTH_IOKIT_OPEN event. But at that moment I know nothing about the device, only its class which is the same for a mouse and for iPhone.
I can add a notification for adding new USB devices, but then I would need somehow to understand that it is a phone/tablet and disconnect or suspend needed USB Device.
How could I disconnect or suspend a USB Device having only io_object_t?
I’m not aware of any mechanism to completely disconnect an I/O service. There might be something within the USB family, which is an area of I/O Kit that I don’t have significant experience with.
The traditional approach for this is to create a KEXT (a DEXT nowadays) that matches against the service and thus prevents the system’s built-in driver from matching. There’s also USBDeviceReEnumerate
, which allows you to kick an existing driver off a USB device.
Honestly, I think the world would be a better place if the ES_EVENT_TYPE_AUTH_IOKIT_OPEN
event came with enough context to allow you to make an informed decision there. Providing an io_object_t
for the driver would be tricky [1] but it could give you a registry entry ID instead [2]. If you agree, I encourage you to file an enhancement request describing your requirements.
Please post your bug number, just for the record.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Because an io_object_t
is effectively a Mach port right name.
[2] See IORegistryEntryGetRegistryEntryID
and, critically, IORegistryEntryIDMatching
.