> ## Documentation Index
> Fetch the complete documentation index at: https://docs.iru.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure the Accessory & Storage Access Library Item

> Configure the Accessory and Storage Access Library Item to control external storage, server volumes, and DMG access on managed Mac computers.

<Callout icon="apple" color="#B84A7A" iconType="brands">This guide applies to Mac computers</Callout>

### About Accessory & Storage Access Library Item

Iru Endpoint's Accessory & Storage Access Library Item allows you, as the device or security administrator, to define access privileges and controls for external storage volumes, server volumes, and DMG file types on Mac computers.

<Warning>
  To use this Library Item, the [Endpoint Detection & Response](/en/endpoint/endpoint-detection-response-edr/endpoint-detection-and-response-edr-overview) add-on is necessary. However, you do not need to assign the EDR Library Item to the device Blueprint to deploy this Library Item.
</Warning>

### How It Works

The Accessory & Storage Access Library Item provides granular control over storage device access on managed Mac computers. It allows administrators to configure access privileges for external storage devices, disk images, and server volumes, with options for encryption requirements, password protection, and user-specific access controls.

### Adding an Accessory & Storage Access Library Item

To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the [Library Overview](/en/endpoint/library/library-items-profiles/library-overview) article.

<Steps>
  <Step title="Name the Library Item">
    Give the new Accessory & Storage Access Library Item a **Name**.
  </Step>

  <Step title="Assign to Blueprints">
    Assign to your desired [Blueprints](/en/endpoint/blueprints/assignment-maps/creating-a-blueprint).

    <Frame>
      <img src="https://mintcdn.com/iru/6NXI9g0KcsHj7H5R/assets/media/images/Kandji-Support-KB-0325PM@2x.png?fit=max&auto=format&n=6NXI9g0KcsHj7H5R&q=85&s=5dd5548ca3191b2ce7816c8f8df35dc1" alt="Accessory and Storage Access Library Item configuration or Blueprint assignment" width="2914" height="1018" data-path="assets/media/images/Kandji-Support-KB-0325PM@2x.png" />
    </Frame>
  </Step>
</Steps>

### Configuring External Volumes

The External volumes section allows you to manage access privileges for external storage devices such as USB, CD, and DVD drives connected to the accessory port and memory cards (SD, SDXC) inserted in the SD card slot. To manage access for external volumes, follow the steps below.

<Warning>
  The **Require encryption** and **Require admin password to access** settings are only available for Read & Write and Read only access privileges.
</Warning>

<Steps>
  <Step title="Enable External Volume Management">
    Turn on management for external volumes.
  </Step>

  <Step title="Configure Access Privileges">
    From the Access privileges menu, select the desired access privileges for external volumes. The available options are: **Read & Write**, **Read only**, or **No access**.

    a. **Set Encryption Requirements:** Optionally, select **Require encryption** to ensure only encrypted volumes are mounted. For information about using Disk Utility to encrypt storage devices, see [this Apple support article](https://support.apple.com/guide/disk-utility/encrypt-protect-a-storage-device-password-dskutl35612/mac#:~:text=In%20the%20Disk%20Utility%20app,Erase%20button%20in%20the%20toolbar.).

    b. **Configure Password Protection:** Optionally, select **Require admin password to access** to prompt users for an admin password to access content.
  </Step>

  <Step title="Set User Scope">
    Select **All users** to apply the access privileges to all users, including admin, or select **Standard users** to apply the access privileges only to standard users.
  </Step>

  <Step title="Configure Alert Messages">
    Optionally, select **Display alert messages** to alert users when the mounting of external volumes is blocked. Note, this setting is forced on when **Require admin password to access** is selected.

    <Frame>
      <img src="https://mintcdn.com/iru/qQl9m4UQwfP-FkWY/assets/media/images/ljbgiopbc8eh9ku5sfxvofi2crxhpjimhw.png?fit=max&auto=format&n=qQl9m4UQwfP-FkWY&q=85&s=b45608b82a7235916bcb79ce100e2624" alt="External volumes access privileges and alert messages configuration" width="2612" height="1390" data-path="assets/media/images/ljbgiopbc8eh9ku5sfxvofi2crxhpjimhw.png" />
    </Frame>
  </Step>
</Steps>

### Configuring Disk Images

The Disk images section allows you to manage access privileges for DMG file types. To manage access for disk images, follow the steps below. Disk image settings specified here will apply to all DMG mounts on the device, including those in scripted automated workflows and in-app DMG mounts such as Google Chrome's Auto Update Agent.

<Warning>
  The **Require admin password to access** setting is only available for Read & Write and Read only access privileges.
</Warning>

<Steps>
  <Step title="Enable Disk Image Management">
    Turn on management for disk images.
  </Step>

  <Step title="Configure Access Privileges">
    The Access privileges menu allows you to select the desired access privileges for disk images. The available options are: **Read & Write**, **Read only**, or **No access**.

    a. Optionally, select **Require admin password to access** to prompt users for an admin password to access content.
  </Step>

  <Step title="Set User Scope">
    Select **All users** to apply the access privileges to all users, including admin, or select **Standard users** to apply the access privileges only to standard users.
  </Step>

  <Step title="Configure Alert Messages">
    Optionally, select **Display alert messages** to alert users when the mounting of disk images is blocked. Note, this setting is forced on when **Require admin password to access** is selected.

    <Frame>
      <img src="https://mintcdn.com/iru/iHobnQhyz6BZxvF-/assets/media/images/opnplvfy7gjr-h3nwjmuezt69csmukmhzw.png?fit=max&auto=format&n=iHobnQhyz6BZxvF-&q=85&s=20ba08773e643658a128d06044dd2cd6" alt="Disk images access privileges and alert messages configuration" width="2598" height="1234" data-path="assets/media/images/opnplvfy7gjr-h3nwjmuezt69csmukmhzw.png" />
    </Frame>
  </Step>
</Steps>

### Configuring Server Volumes

The Server volumes section allows you to manage access privileges for server volume mounts such as SMB shares. To manage access for server volumes, follow the steps below.

<Warning>
  Any external, server and DMG volumes previously mounted on the device prior to the deployment of this Library Item will not be managed by Iru Endpoint until these items are unmounted and a re-mount is attempted.
</Warning>

<Steps>
  <Step title="Enable Server Volume Management">
    Turn on management for server volumes.
  </Step>

  <Step title="Configure Access Privileges">
    Choose the desired access privileges for disk images from the Access privileges menu. The available options are: **Read & Write** or **No access**.
  </Step>

  <Step title="Set User Scope">
    Select **All users** to apply the access privileges to all users, including admin, or select **Standard users** to apply the access privileges only to standard users.
  </Step>

  <Step title="Configure Alert Messages">
    Optionally, select **Display alert messages** to display alert messages to users when the mounting of external volumes is blocked.
  </Step>

  <Step title="Save Configuration">
    Click the **Save** button to save the Accessory & Storage Library Item to your Library.

    <Frame>
      <img src="https://mintcdn.com/iru/1OVymKHk38EquoaD/assets/media/images/xm0zdukkivavmit1t5wt2oua8zhyd_0m0a.png?fit=max&auto=format&n=1OVymKHk38EquoaD&q=85&s=cc1b6c4cf66c6861b01c74d621b22da3" alt="Accessory and Storage Library Item server volumes and Save button" width="2600" height="1186" data-path="assets/media/images/xm0zdukkivavmit1t5wt2oua8zhyd_0m0a.png" />
    </Frame>
  </Step>
</Steps>

### Understanding Restricted Mode on Apple Silicon

On a Mac with Apple silicon running macOS 13+ and depending on the device's Privacy & Security settings, when new or unknown USB accessories are used, the user may get an alert asking whether or not the USB accessory should be allowed to connect. This is known as [Restricted Mode](https://support.apple.com/guide/deployment/manage-accessory-access-depf8a4cb051/web) on macOS and is independent of Device alert settings in this Library Item. Restricted Mode can be managed with the **Allow USB accessories while device is locked** setting in the Restrictions Library item. See [this Apple support article](https://support.apple.com/en-us/102282) for more details.

### Considerations

* **EDR Requirement**: The Endpoint Detection & Response add-on is required to use this Library Item, but the EDR Library Item doesn't need to be assigned to device Blueprints
* **Access Privilege Configuration**: Configure appropriate access levels (Read & Write, Read only, No access) based on your security requirements and user needs
* **Encryption Requirements**: Use encryption requirements for external volumes to ensure data protection, especially for sensitive information
* **Password Protection**: Implement admin password requirements for additional security when accessing external storage devices
* **User Scope Management**: Choose between All users and Standard users based on your organization's access control policies
* **Alert Configuration**: Configure alert messages to inform users when access is blocked, improving user experience and security awareness
* **Existing Volume Management**: Previously mounted volumes won't be managed until they are unmounted and re-mounted after Library Item deployment
* **Apple Silicon Compatibility**: Be aware of macOS Restricted Mode on Apple Silicon devices, which operates independently of this Library Item's settings
* **Disk Image Security**: DMG file access controls apply to all disk image mounts, including automated workflows and application updates
* **Server Volume Access**: Configure server volume access carefully to balance security with legitimate business needs for network storage
* **Testing and Validation**: Test configuration changes in a controlled environment to ensure they meet security requirements without disrupting workflows
* **Regular Review**: Periodically review and update access privilege settings to align with changing security policies and business requirements
