Does the fdesetup sync command also work with AD? The documentation only refers to OD which we're phasing out.
Answer
FileVault2 - Does sync command work with AD?
Best answer by rich.trouton
fdesetup sync should work with any directory service. One way to verify this should be to add a test account to AD, then add the account to a FileVault 2-encrypted Mac. Once you've verified that the AD account shows up at the FileVault 2 pre-boot login screen, remove the AD account from your AD domain and run fdesetup sync on your test Mac.
Once fdesetup sync has been run, reboot the Mac and see if the test AD account is showing up at the pre-boot login screen. It shouldn't show up, as fdesetup sync should have checked with AD and seen that the account was no longer listed as an account.
Note: The AD account needs to be actually removed from the AD domain. Disabling it will not trigger fdesetup sync to remove it from the pre-boot login screen.
+13GREAT question. That's something worth testing (since there's not any output when I run it, and the verbose flag doesn't apply).
fdesetup sync should work with any directory service. One way to verify this should be to add a test account to AD, then add the account to a FileVault 2-encrypted Mac. Once you've verified that the AD account shows up at the FileVault 2 pre-boot login screen, remove the AD account from your AD domain and run fdesetup sync on your test Mac.
Once fdesetup sync has been run, reboot the Mac and see if the test AD account is showing up at the pre-boot login screen. It shouldn't show up, as fdesetup sync should have checked with AD and seen that the account was no longer listed as an account.
Note: The AD account needs to be actually removed from the AD domain. Disabling it will not trigger fdesetup sync to remove it from the pre-boot login screen.
+24That's good to know, but I wonder, will the fdesetup sync process, once run, prevent someone with a disabled AD account from logging in at the FV2 screen, or will it still allow unlock of the Mac and just stop them at a username/password style login screen? I'm guessing some of the process may depend on whether the Mac is in range of the DCs when the login occurs. Curious to know more about how that works as these same questions may come up for us now that we're using FV2 for FDE.
fdesetup sync won't do anything with regards to disabled accounts. That said, if the account is disabled and the Mac's OS has a chance to communicate with AD, here's what happens:
- Mac boots
- You can log in with the disabled account at the FileVault 2 pre-boot login screen
- You get stopped at the regular login window.
+24Thanks for confirming that Rich. That's kind of what I was thinking would happen, but we hadn't tested this out. Of course this does require the Mac to be communicating with AD as you stated, so Macs off the network won't initially get blocked from login. Eventually it will once they've been out of communication for too long though.
+13You can also do a targeted remove with fdesetup, so in the actual event of a terminated employee, as long as it's online somewhere and you can ssh in, you can kick the user out.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.