FileVault 2 and AD network users deployment process

I have a question regarding this process...

When I enable FV, it disables the need to put in user ID. It reverts to clicking the user name and then typing in a password. In your process, you noted ".) b-Enables users's AD mobile account for FV2 pre boot login within the Security & Privacy system pref. (User is prompted for their password" Does this allow for the user to need to type in their ID and password at login? I need to be able to get that functionality back.

Also, it changed when my login legal banner appears. It used to appear before the log in window. After enabling FV, it appears after the user clicks on their and types their password. Any way I can get that back to before they log in?

Thanks in advance.

Enabling FV2 does the behavior changes you mentioned. I refer to it as pre boot since it's before the OS is loaded, but Apple refers to it as the disk unlock and access stage. There is no option to change that from List of Users (icons) to show as "Name and password." If you unencrypted the drive, of course then you can set that behavior because it's the OS that is displaying the login. And yes, it also effects the legal banner presentation to the user.

The best information I have found concerning FileVault 2 is from Rich Trouton and his postings on http://derflounder.wordpress.com/

Watch his keynote presentation available here:
http://derflounder.wordpress.com/2011/11/10/slides-from-the-filevault-2-session-at-jamfs-2011-national-user-conference/
The keynote includes movie demo's, so you know what to expect with FV2.

When I ask our Apple assigned Engineer for everything they had concerning FV2 use in Enterprise, they pointed me to Rich's site, to [www.afp548.com](www.afp548.com) and to their Security document for Snow Leopard.

Jason,

I think the process you've got outlined is pretty good at dealing with FileVault 2's current setup capabilities and avoids the help desk having to make a deskside visit. Hopefully, FileVault 2's user setup options improve in the future.

If you want to see all of my FileVault 2-related posts, you can use the following link:

http://derflounder.wordpress.com/category/filevault-2/

Thanks,
Rich

Are there any suggested "best practice" 3rd party solutions for full disk encryption that is FIPS 140-2 compliant? From what I've read here, FV2 will not work for our environment. (sorry to hijack this thread)

Jeff,

What are your requirements aside from FIPS 140-2? If you need to have username/password and login banner as mentioned above, that may rule out some encryption solutions.

Thanks,
Rich

Hi Rich, I need to be able to type in a user name at log in (AD credentials) and not show the user accounts on the machine. I also need to have the password up to date from AD. From what I can tell now, if a user changes their password from another machine, and FV2 is enabled, the password would be the old password. Also, I am unable to log into the machine as another user unless the account has been cached locally before. Basically, I need to replicate how our Windows 7 users authenticate and make the user experience as close as possible on the Macs. Network login before FV2 encryption did this very well. I'm thinking there has to be a 3rd party soution that will do a full disk encryption but leave how the user logs into the machine alone.

I'm also looking similar to this for corporate environment. Any tool of software to accomplish this?

Hi Rich, I need to be able to type in a user name at log in (AD credentials) and not show the user accounts on the machine. I also need to have the password up to date from AD. From what I can tell now, if a user changes their password from another machine, and FV2 is enabled, the password would be the old password. Also, I am unable to log into the machine as another user unless the account has been cached locally before. Basically, I need to replicate how our Windows 7 users authenticate and make the user experience as close as possible on the Macs. Network login before FV2 encryption did this very well. I'm thinking there has to be a 3rd party soution that will do a full disk encryption but leave how the user logs into the machine alone.

Looking for the same functionality in a corporate, network user environment. Is there a good filevault alternative?

I know this thread is old, but I need to do precisely this now. To borrow the words of krischelj above, who stated it perfectly: "I need to be able to type in a user name at log in (AD credentials) and not show the user accounts on the machine. I also need to have the password up to date from AD". ..."Basically, I need to replicate how our Windows 7 users authenticate and make the user experience as close as possible on the Macs". Did anyone find a solution (third party or otherwise) to this?

Bumping this. I'm in the same situation as OrdinaryGeek and krischelj. Need to use AD to authenticate and not cause issues with changing passwords, as well as not listing users at login.

Any solutions out there, third party or otherwise?

@brian_mccarthy When you're at the FV2 login screen, you're actually booted into the recovery partition on the machine with no network connectivity (at least on WiFi only devices, not sure what state wired machines are in at this point). You're not going to be able to connect to an AD server to authenticate with current credentials for anyone that already has an account on the machine, nor will you be able to log in any arbitrary AD user.