Back to Resources

Level Verified

macOS Monitor - USB Drive Script

Created by

Level

Type

Script

Category

Security

Platforms
WindowsApple iOSLinux
Import into Level
Copy link

Problem Overview

Unregulated or unauthorized USB devices can expose macOS systems to data leaks, malware threats, and policy violations. Manually monitoring for USB connections is time-consuming and prone to oversight, leaving IT Professionals and MSPs vulnerable to unexpected security breaches.

Description

This script uses the built-in system_profiler command to detect any mounted USB drives on a macOS endpoint. If it finds an active USB device, it prints “ALERT,” which can be captured and reported by Level. This enables immediate visibility into unauthorized or unexpected removable media usage.

You can configure a script-based monitor in Level to trigger on-demand checks whenever USB-related activity is suspected, or set it to run on a schedule via a Level Automation. By pairing it with a remediation action, you can automatically disable or eject suspicious drives to maintain tighter security.

Script

1#!/bin/bash
2
3# This resource is provided as a convenience for Level users. We cannot 
4# guarantee it will work in all environments. Please test before deploying 
5# to your production environment. We welcome contributions to our community 
6# library
7
8# Level Library
9# https://level.io/library/script-macos-monitor-usb-drive
10
11# Look for USB Drives
12USB_DRIVE_PRESENT=$(system_profiler SPUSBDataType | grep "Mount Point")
13
14if [[ ! -z "$USB_DRIVE_PRESENT" ]]; then
15    # If USB drive is present, send console message for Level to alert on
16    echo "ALERT"
17fi

Use Cases

  • Monitoring high-security environments for unauthorized removable devices
  • Detecting unexpected USB usage in remote work setups
  • Enforcing data protection rules where external drives are restricted
  • Auditing USB device activity on shared or public systems

Recommendations

  • Test the script in a non-production environment to confirm expected output
  • Use a script-based monitor in Level to generate immediate alerts on detection
  • Schedule periodic checks with Level Automations for continuous oversight
  • Consider pairing with a remediation script to disable or eject drives automatically
  • Keep detailed logs of alerts to identify patterns or repeated policy violations

FAQ

  • How do I configure this script in Level?
    Import it into Level and set up a script-based monitor or an Automation schedule, depending on your preferred usage.
  • Does the script block or eject USB drives?
    No. It only detects them. Pair it with a separate remediation script if automatic removal is required.
  • Which macOS versions are compatible?
    Most modern macOS versions that include system_profiler should work. Testing is advised to ensure compatibility.
  • Why is an alert triggered only if a USB drive is mounted?
    Mounted drives present an immediate data access or transfer risk, which is why the script flags them.
  • Can I modify the alert message?
    Yes. Update the echo statement within the script to suit your organization’s logging or notification needs.

Included with this Script:

Below is a list of what you can expect to find when importing this Script.

Script details:

The following data and settings will be imported with your script.

Script Name

macOS Monitor - USB Drive

Description

This script checks for connected USB drives on a macOS system by scanning for active mount points in the USB device information. If a USB drive is detected, it outputs an "ALERT" message to signal the presence of the device for monitoring purposes.

Language

Bash

Timeout (In Seconds)

100

Run As

Local system

Import into Level

Related resources

Explore more automations, scripts, and policies to further enhance your IT operations.

View all resources

Start automating thousands of your devices with Level

Start your 14-day free trial today.

Book a demoGet started for free

© 2025 Level Software, Inc.