Hey everyone, I'm working with FV2 and wanted to hear what you are doing in your environments. I've read through the white papers, other JN posts, and have watch Rich's presentation at JNUC 2012. I know there is not a cookie cutter solution for everyone but I would imagine many of us are attempting to do much of the same. Are you using both Individual and Institutional keys? (Based on some other posts I gather this may be recommend) Are you enabling FV2 for both the 'user' of the computer and your admin account(s)? What about the account that was used to enroll and manage the computer in the JSS? Here's the big question: If you are enabling all users, what is your process for doing this on computers that are already in production? Do you first enable it for the user with the –defer option and then manually do your admin accounts afterwards or vice versa? Things seemed to be much improved now that we have fdesetup but from what I've gather there's probably a few more things that Apple could add to give us. For example: It would be nice if you could use a plist to enable your admin accounts AND also tell it to –defer to the current/next user so this could be run at first boot.

Question

FileVault 2 Best Practices

Forum|Forum|12 years ago
April 18, 2013
31 replies
96 views

+12

krichterjr
Employee

Hey everyone,

I'm working with FV2 and wanted to hear what you are doing in your environments. I've read through the white papers, other JN posts, and have watch Rich's presentation at JNUC 2012. I know there is not a cookie cutter solution for everyone but I would imagine many of us are attempting to do much of the same.

Are you using both Individual and Institutional keys? (Based on some other posts I gather this may be recommend)
Are you enabling FV2 for both the 'user' of the computer and your admin account(s)? What about the account that was used to enroll and manage the computer in the JSS?
Here's the big question: If you are enabling all users, what is your process for doing this on computers that are already in production? Do you first enable it for the user with the –defer option and then manually do your admin accounts afterwards or vice versa?

Things seemed to be much improved now that we have fdesetup but from what I've gather there's probably a few more things that Apple could add to give us. For example: It would be nice if you could use a plist to enable your admin accounts AND also tell it to –defer to the current/next user so this could be run at first boot.

Show first post

Forum|pagination.label 2 / 2

+15

bmarks
Contributor
Forum|Forum|9 years ago
August 9, 2016

To clarify, what I meant is you can't boot into single user mode if FileVault is enabled without having to enter a password first to unlock the volume.

I hadn't had to do this in a while, so I took this opportunity to go through all the steps again and review Apple's kbase article. It looks like the process has been made simpler. If you click the question mark in the password field on the FV unlock screen (or wait a certain amount of time) it now will let you enter the FV key right there. It's probably been like that for a while, but I hadn't noticed it before.

+33

rich.trouton
Hall of Fame
Forum|Forum|9 years ago
August 9, 2016

You can boot into single-user mode with FileVault 2 enabled, though you will need to unlock the volume as part of the process. For those interested, I have a post on this available via the link below:

https://derflounder.wordpress.com/2013/04/26/booting-into-single-user-mode-on-a-filevault-2-encrypted-mac/

+15

bmarks
Contributor
Forum|Forum|9 years ago
August 9, 2016

Well, without unlocking it first, I mean

EDIT - Don't know why this post got delayed by 18 hours.

+16

gachowski
Honored Contributor
Forum|Forum|9 years ago
August 9, 2016

Don's point about keeping the FV keys out of the JSS is a good one... I have read or heard that some admins are manually enable and re-directing them to AD and/or the same tool that stores BitLocker keys.

I just don't have the resources to do that...

+15

bmarks
Contributor
Forum|Forum|9 years ago
August 9, 2016

They seem pretty secure in the JSS though. Having them in two locations seems like it would increase the odds of them being exposed by a password leak into one of the (now twice as many) places they would now be stored. As I'm sure the people on this thread know, you can also deselect the checkbox for user privileges in your JSS, in theory giving admins/auditors/etc. access to every single JSS piece of data except the keys if that's what you prefer.

+36

donmontalvo
Hall of Fame
Forum|Forum|9 years ago
August 9, 2016

Our goal is always to leverage existing infrastructure where its possible and makes sense.

If there is a solution in place we can redirect FileVault 2 keys, it makes perfect sense to us.

Both from a security perspective, since the team who will handle already handles Bitlocker keys, but also as a diaper, in case something happens to JSS, like having to migrate to a new JSS because the existing JSS went kablooie (which can happen to ANY solution).

--https://donmontalvo.com

Forum|pagination.label 2 / 2

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded