Posted on 08-27-2015 11:49 AM
I had a user working remotely enroll into JSS via the Casper Agent web-enroll. The machine was successfully added to Casper but then an automatic encryption policy kicked off (this has since been disabled and all encryption is done manually.), rebooted as per the policy and she immediately lost access to any local accounts and the encryption policy failed. This makes sense because the machine lost connectivity to Casper after it rebooted because the user was off-site.
To make matters worse, our svcCasperAdmin account has a unique password automatically and randomly-generated. As it stands, the user is only able to see the svcCasperAdmin and Guest accounts when rebooting with no access to the former and no use outside of Safari to the latter.
We were able to procure the recovery FileVault2 encryption key via Casper but because it's last communication/check-in was prior to the encryption, this key is not recognized by the svcCasperAdmin account.
Any ideas on accessing the svcCasperAdmin account or her old, local administrator account prior to encryption?
Solved! Go to Solution.
Posted on 09-01-2015 10:17 AM
UPDATE: I am still gainfully employed and was able to recover the user's data from the partially-encrypted machine. I booted into Recovery Mode, opened Disk Utility and went to File>Decrypt/Turn Off Encryption. After this, I was able to back up the user's data from Terminal AND Target Disk Mode without having to unlock the media.
Posted on 08-27-2015 12:02 PM
Hmm that is no fun!
I believe the FV2 encryption doesn't actually start until you have successfully authenticated at the FV2 login page after the reboot (because of this type of potential issue). If that is correct you should be able to boot the Mac in target disk mode and recover the data without a key/working account.
Posted on 08-27-2015 01:27 PM
Can you post a screenshot or details of the de-activated encryption policy that took effect?
Posted on 08-31-2015 06:32 AM
@psliequ That would have been nice to include but it was quickly modified and what is shown in its current state is not very helpful as it has been drastically changed.
Posted on 08-31-2015 09:59 AM
@Josh.Smith have the machine here and unfortunately I am being prompted for an unlock password. Any other suggestions? The FV2 recovery key that we have, local admin account and user account passwords have not worked either.
Posted on 09-01-2015 10:17 AM
UPDATE: I am still gainfully employed and was able to recover the user's data from the partially-encrypted machine. I booted into Recovery Mode, opened Disk Utility and went to File>Decrypt/Turn Off Encryption. After this, I was able to back up the user's data from Terminal AND Target Disk Mode without having to unlock the media.