[drakenot]

Is it possible to whitelist USB (or Thunderbolt for that matter) devices and prevent all others from connecting?

It is fairly common for me to connect a USB keyboard, but it is pretty rare for me to connect an unknown keyboard.

[masklinn]

It's possible to filter based on vendor ID and device ID, but deviceid is shared (it's more of a product id), and both can be faked of course. On Linux it's handled via udev, on Windows via group policies (since Server 2008/Vista), on OSX it might be possible via MDM, in the Server application (I'm not sure)