Disable Hardware Components
Security policy means different things to different companies. In some environments, using managed preferences to control external drive access would be considered draconian. In others, leaving the Airport card plugged in (or firewire ports connected) is thought of as irresponsible. What can a systems administrator do to limit hardware use on company machines?
One option is to disable use of certain hardware components at a system level. Kernel extensions, the software which allows the system to access hardware, are kept in the /System/Library/Extensions folder. Removing specific extensions from that folder will disable the associated hardware, preventing it from being used. Remove the wrong ones, unfortunately, and the your operating system won't boot.
If you want to prohibit wireless access, those files are AppleAirPort.kext, AppleAirPort2.kext, and AppleAirPortFW.kext. To disable Bluetooth capabilities (and therefore Bluetooth file transfer), you'll want IOBluetoothFamily.kext and IOBluetoothHIDDriver.kext. Apple's iSight cameras can be disabled to prevent video and photographs of your facility by replacing AppleUSBVideoSupport.kext and Apple_iSight.kext. The use of external hard drives is regulated by IOUSBMassStorageClass.kext and IOFireWireSerialBusProtocolTransport.kext.
For every hardware interface, there's a kernel extension file to match.
If your goal is to disable your chosen hardware permanently (so that software updates won't re-enable it), just replace the missing files with empty text files of the same name, then "Get Info" on each file in the Finder and check the "Locked" option so they won't be reinstalled.
Using this technique, you can insure that even users with administrative privileges can't get around the hardware restrictions on your standard installation.
Recommended Reading: Apple's very technical explanation of kernel extensions can be found at their developer site. You might also consider controlling hardware access through Open Directory's managed preferences, explained previously in this very blog.
