I'm working on a system management tool that should be able to Allow/Deny mass storage and portable devices.
In case if it is a USB flash drive I can detect Mount events using Endpoint Security framework. Then using IOServiceGetMatchingServices
I can find the actual device that is trying to mount new volume, check if it is an allowed device and Allow or Deny mount.
But in case if it is an iPhone/iPad or Android device I can't rely on that solution as they don't mount new volumes but user can copy files to the phone. To cover this case I could respond with Deny for the ES_EVENT_TYPE_AUTH_IOKIT_OPEN event. But at that moment I know nothing about the device, only its class which is the same for a mouse and for iPhone.
I can add a notification for adding new USB devices, but then I would need somehow to understand that it is a phone/tablet and disconnect or suspend needed USB Device.
How could I disconnect or suspend a USB Device having only io_object_t?