Help

Filevault with sso

Go to solution
folder0
New Contributor II

Posted on ‎09-24-2024 08:34 AM

Hi
I've set up sso connections to connect each time the mac is restarted.

In my case, users always connect by sso. But I want users to be able to switch macs easily between each other.

Except that once user A lends his Mac to user B, even if I've forced all connections to go through sso. it will ask me for user A password because filevault needs to unlock the disk before proposing a connection by sso.

Do you have any idea how I can work filefault and sso together so that user B can connect without requiring user A password?

Thanks 

Reply
1 ACCEPTED SOLUTION

Go to solution
AJPinto
Honored Contributor III

Posted on ‎09-24-2024 10:31 AM

It's not possible due to how Apple has FileVault access provisioned. MacOS is really designed to be 1:1, and to have the OS reinstalled between users unless you leave FileVault disabled.

 

FileVault access is granted by a FileVault Token, which is also deeply tied to Volume Ownership and Secure Tokens. The only time the OS automatically gives a token is when FileVault is enabled for the first time, it grants a token to who enabled. For anyone else to get a FileVault token, someone with a FileVault token must manually "pass" the token with System Settings or with Terminal. Considering the user with a FileVault tokens password must be entered in to the command to grant a token, this prevents any form of automation. 

View solution in original post

Reply
2 REPLIES 2

Go to solution
AJPinto
Honored Contributor III

Posted on ‎09-24-2024 10:31 AM

It's not possible due to how Apple has FileVault access provisioned. MacOS is really designed to be 1:1, and to have the OS reinstalled between users unless you leave FileVault disabled.

 

FileVault access is granted by a FileVault Token, which is also deeply tied to Volume Ownership and Secure Tokens. The only time the OS automatically gives a token is when FileVault is enabled for the first time, it grants a token to who enabled. For anyone else to get a FileVault token, someone with a FileVault token must manually "pass" the token with System Settings or with Terminal. Considering the user with a FileVault tokens password must be entered in to the command to grant a token, this prevents any form of automation. 

Reply

Go to solution
folder0
New Contributor II

Posted on ‎09-25-2024 06:22 AM

Thanks so much for all information AJPinto 

0 Kudos
Reply