Access to svcCasperAdmin Account with FileVault2 Encryption

sepiemoini
Contributor III
Contributor III

I had a user working remotely enroll into JSS via the Casper Agent web-enroll. The machine was successfully added to Casper but then an automatic encryption policy kicked off (this has since been disabled and all encryption is done manually.), rebooted as per the policy and she immediately lost access to any local accounts and the encryption policy failed. This makes sense because the machine lost connectivity to Casper after it rebooted because the user was off-site.

To make matters worse, our svcCasperAdmin account has a unique password automatically and randomly-generated. As it stands, the user is only able to see the svcCasperAdmin and Guest accounts when rebooting with no access to the former and no use outside of Safari to the latter.

We were able to procure the recovery FileVault2 encryption key via Casper but because it's last communication/check-in was prior to the encryption, this key is not recognized by the svcCasperAdmin account.

Any ideas on accessing the svcCasperAdmin account or her old, local administrator account prior to encryption?

8b70c15fe8a94d8093a90e2cf579ddeb

1 ACCEPTED SOLUTION

sepiemoini
Contributor III
Contributor III

UPDATE: I am still gainfully employed and was able to recover the user's data from the partially-encrypted machine. I booted into Recovery Mode, opened Disk Utility and went to File>Decrypt/Turn Off Encryption. After this, I was able to back up the user's data from Terminal AND Target Disk Mode without having to unlock the media.

View solution in original post

5 REPLIES 5

Josh_Smith
Contributor III

Hmm that is no fun!

I believe the FV2 encryption doesn't actually start until you have successfully authenticated at the FV2 login page after the reboot (because of this type of potential issue). If that is correct you should be able to boot the Mac in target disk mode and recover the data without a key/working account.

psliequ
Contributor III

Can you post a screenshot or details of the de-activated encryption policy that took effect?

sepiemoini
Contributor III
Contributor III

@psliequ That would have been nice to include but it was quickly modified and what is shown in its current state is not very helpful as it has been drastically changed.

sepiemoini
Contributor III
Contributor III

@Josh.Smith have the machine here and unfortunately I am being prompted for an unlock password. Any other suggestions? The FV2 recovery key that we have, local admin account and user account passwords have not worked either.

sepiemoini
Contributor III
Contributor III

UPDATE: I am still gainfully employed and was able to recover the user's data from the partially-encrypted machine. I booted into Recovery Mode, opened Disk Utility and went to File>Decrypt/Turn Off Encryption. After this, I was able to back up the user's data from Terminal AND Target Disk Mode without having to unlock the media.