At my current environment, we have an admin account and LAPS turned on. As we know, LAPS doesn’t work for unlocking FileVault. We need an admin account to unlock file vault and log into so we can troubleshoot issues. I love the idea of LAPS but it doesn’t seem to be practical in our environment. Is the best thing to do is have a local admin account with a very complicated password. Also, we have it setup to only allow one ad account to log into the computer so using an ad account isn’t going to work either.
Question
Best Practices for having an admin account tech support can log into
+5
+26Generally speaking IT should never need to log in to FileVault. If there was some one off case where IT needed to log in, that is what the recovery key is for.
Best practices aside, Apple does not really give you any options. Your local LAPS account can unlock FileVault, but only after it's logged in to macOS at least once to inherit a FileVault token. Without a token, no account can unlock FileVault. There is no way to give a token programmatically, at least not without the user name and password for an account with a FileVault token to pass it in the script to authorize fdesetup to grant a token.
+9Hi
In Jamf Pro, there is already a local administrator account called _cadmin
Go to:
Jamf Pro → Computers → Search Inventory → Your Device → Inventory → General → Managed Local Administrator
You can use this account , the password is automatically generated with a strong complexity and is valid for 1 hour.
+5So what do you do when you are working on a machine and you need to restart. Do you just run the terminal command to bypass file vault everytime?
The problem with the managed local admin account is that the password change doesn’t appear to change the password for file vault. At least that has been my experience.
+26So what do you do when you are working on a machine and you need to restart. Do you just run the terminal command to bypass file vault everytime?
The problem with the managed local admin account is that the password change doesn’t appear to change the password for file vault. At least that has been my experience.
Honestly, I cannot remember the last time any tech in an enterprise environment I have worked with needed to log directly into an end user’s FileVault‑locked Mac. Modern support workflows assume the user is present to unlock FileVault, and the tech connects through a remote support tool like BeyondTrust Remote Support or ARD. If the device has to be taken away from the user, it usually needs OS reinstallation or hardware repair, and the user should already have their data backed up. Ideally, nothing critical should be stored locally in the first place.
Apple’s current security model assumes zero trust. The technician should never have unattended access to user data. That is why FileVault unlock is a user action, not an IT action, and why workflows that rely on IT unlocking FileVault with a rotating‑password admin account are fundamentally incompatible with how macOS handles Secure Tokens and password synchronization.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.