AD Bound Mac Filevault Best practices

msdoni
New Contributor III

I am somewhat of a filevault virgin, but am getting more and more pressure to enable on my Macs. I have done some testing on my development network, but am finding it a bit tricky with AD bound systems and using AD roaming profile logins.

11 REPLIES 11

sdagley
Esteemed Contributor II

@msdoni What you're wanting to do basically isn't possible with FileVault as it exists through macOS Catalina (in short a Mac at the FileVault login screen doesn't have network connectivity as it's a pre-boot system waiting for you to unlock the OS volume to boot). There's some changes coming in macOS Big Sur, but I don't think they'll get you there for AD logins.

msdoni
New Contributor III

I failed to mention that these AD logins are also creating mobile accounts. Does that change anything?

sdagley
Esteemed Contributor II

That'd depend on if those can get a SecureToken to unlock FileVault. And if the AD password for that account changes with the Mac offline/locked it's not going to work to log into the FileVault screen.

peaudunk
New Contributor III

Up through Catalina I've been enabling FV for the first mobile account AD user (single user systems) with fdesetup via script using a manually setup admin that has a secure token and is then removed from the system after encryption, not sure exactly what'll happen for Big Sur.

mschroder
Valued Contributor

I use AD accounts with my test Macs, and trying to get Filevault working for them is a pain in the lower back. I assume the extra complication I have is that I define access via netgroups, and what happens when I try to give a secure token to any of the users in the netgroup I get a 'user unknown' message - even when the user in question is currently logged in ;)

Seems to me the best practice concerning Filevault for AD account is: avoid if you can.

AJPinto
Honored Contributor II

We AD bind our macs and use Mobile AD accounts as well. There has not been a way that I have found so far to streamline the FV provisioning process, FV lacks a lot of the features of BitLocker like Network unlock using network detection. Accounts present on the Mac before FileVault is enabled can be given a FV token as things encrypt, but to later add a FV token to an account post encryption requires some work. It can be scripted but you have to pass the user name and password in the bash script for a FV enabled account to give a token then prompt the user to enter their user name and password.

How we handle FV. We have a local admin account as per usual that users do not get access to, and a local account called setup with no admin access but does have a FV token due to being created before we encrypt. We have to encrypt pre deployment due to security policy. The user gets the computer and logs in to FileVault with the "setup" account, then just logs out if they get logged in to macOS and log in with their account if they are on the cooperate network (we with other workarounds if remote). Once the user is logged in they run a policy that sets things up for them like office, provisioning admin access and granting a FileVault token using the setup account to pass the token, this policy also deletes the setup account so it does not linger around for security concerns.

obi-k
Valued Contributor II

Just curious, do you guys see long login times with Macs AD bound + Mobile accounts? When users log in, they see a black screen and cursor for several minutes until the Desktop appears. I've seen this from 10.12 to 10.15.

msdoni
New Contributor III

Actually no, unless the user has too much junk filling up their profile like on their desktop.

msdoni
New Contributor III

@AJPinto thanks. I will be doing some testing and this will help. Also will help me give some evidence to our IA Dept as to why this isn’t a simple one and done process and I will need a window of time.

AJPinto
Honored Contributor II

@msdoni I have many problems at my employer as well, I have conversations way too frequently on why things with MacOS cannot be setup to function like they do on Windows. We are a Windows shop with some 50k windows devices and less then 1000 macs, to make it better we are a financial institution with all those regulations. Our folks in IS have a hard time understanding the differences between macOS and Windows, thankfully I was a windows admin for some 15 years so I can usually bridge the gap. though I do get tired of explaining why we cannot report on macOS updates the same way we do with windows lol.

msdoni
New Contributor III

@AJPinto thats my daily, except in the govt sector. I also have an extensive Windows background that has proven invaluable in getting things through or mitigated.