Authenticate to Wifi before Login with FileVault enabled?

Duke78
New Contributor III

I circulate MacBooks in a library context, so multiple users use the same machine throughout the day. I'm required to have my MacBooks disk encrypted, and I need my users to be able to login to these MacBooks wirelessly with their Active Directory accounts. But I think FileVault prevents users from authenticating to the network before they login to the MacBook, is that right? Is it possible for users to login to wifi before they login to the FileVault-enabled MacBook?

1 ACCEPTED SOLUTION

AJPinto
Honored Contributor III

Unfortunately, no. Keep in mind that Active Directory is a Microsoft technology, designed specifically for Windows. Apple pays no regard to Active Directory or any LDAP server and stopped developing macOS with domain binding in mind a very long time ago. As far as Apple is concerned, domain binding is a deprecated workflow. Apples desire for macOS is to be 1:1 deployment, or lab deployments with FV disabled. FileVault is simply not designed to be used with mobile accounts or in x:1 deployment situations.

 

Is there a way to grant a FileVault token to all users under my organization's Active Directory before they attempt to login to our machines?

For an account to get a FileVault token, it must have a local account on the Mac and for that account to have authenticated (though this can be done with CLI with some crafty scripting and DSCL). For all your users to be able to receive a FileVault token, you would need to cache every AD account on every Mac. Then you would need to know the password for all those accounts to be able to script out granting them a FileVault token. That is not even getting in to the mess of figuring out password rotation.

 

So that new users can login to FileVault machines?

As unsecure as it sounds, your best option with your workflow is to have a shared FileVault account. Then have a Configuration Profile that disables FileVault passthrough authentication. This way a user uses this shared account to clear FileVault, then they would log in to macOS with their credentials rather then that shared account logging in automatically. This does raise a lot of concerns as this shared account is a low hanging fruit of an attack vector. 

 

 

MacOS handles out a FileVault token to all accounts that have previously interactively logged in to macOS when FileVault is enabled. All future accounts need to be manually given a token by an account that already has a token. This can be done from CLI, but you still need to know the username AND PASSWORD for both the account giving the FileVault token, and the account receiving the FileVault token. 

 

Note: FileVault tokens, Volume Ownership, and Secure Tokens are closely related. Trying to bypass dealing with FileVault tokens by using a shared account, will cause issue with the other tokens as you are working well outside of the box Apple has built.

 

TL;DR: No, what you are wanting to do is not really possible and below are some resources.

 

Manage FileVault with mobile device management - Apple Support

Configure a FileVault setting in Apple Business Essentials - Apple Support

Protecting Data with FileVault — Deployment and Management Tutorials | Apple Training

Apple Platform Security - Apple Support

 

View solution in original post

9 REPLIES 9

AJPinto
Honored Contributor III

FileVault has no concept of a network, Ethernet, Wi-Fi or otherwise. FileVault is just a disk encryption tool, nothing more, nothing less.

Only users who have previously logged in to macOS from the log in screen (not FileVault) and have a FileVault token can log in to FileVault.

 

 

Duke78
New Contributor III

Is there a way to grant a FileVault token to all users under my organization's Active Directory before they attempt to login to our machines? So that new users can login to FileVault machines?

AJPinto
Honored Contributor III

Unfortunately, no. Keep in mind that Active Directory is a Microsoft technology, designed specifically for Windows. Apple pays no regard to Active Directory or any LDAP server and stopped developing macOS with domain binding in mind a very long time ago. As far as Apple is concerned, domain binding is a deprecated workflow. Apples desire for macOS is to be 1:1 deployment, or lab deployments with FV disabled. FileVault is simply not designed to be used with mobile accounts or in x:1 deployment situations.

 

Is there a way to grant a FileVault token to all users under my organization's Active Directory before they attempt to login to our machines?

For an account to get a FileVault token, it must have a local account on the Mac and for that account to have authenticated (though this can be done with CLI with some crafty scripting and DSCL). For all your users to be able to receive a FileVault token, you would need to cache every AD account on every Mac. Then you would need to know the password for all those accounts to be able to script out granting them a FileVault token. That is not even getting in to the mess of figuring out password rotation.

 

So that new users can login to FileVault machines?

As unsecure as it sounds, your best option with your workflow is to have a shared FileVault account. Then have a Configuration Profile that disables FileVault passthrough authentication. This way a user uses this shared account to clear FileVault, then they would log in to macOS with their credentials rather then that shared account logging in automatically. This does raise a lot of concerns as this shared account is a low hanging fruit of an attack vector. 

 

 

MacOS handles out a FileVault token to all accounts that have previously interactively logged in to macOS when FileVault is enabled. All future accounts need to be manually given a token by an account that already has a token. This can be done from CLI, but you still need to know the username AND PASSWORD for both the account giving the FileVault token, and the account receiving the FileVault token. 

 

Note: FileVault tokens, Volume Ownership, and Secure Tokens are closely related. Trying to bypass dealing with FileVault tokens by using a shared account, will cause issue with the other tokens as you are working well outside of the box Apple has built.

 

TL;DR: No, what you are wanting to do is not really possible and below are some resources.

 

Manage FileVault with mobile device management - Apple Support

Configure a FileVault setting in Apple Business Essentials - Apple Support

Protecting Data with FileVault — Deployment and Management Tutorials | Apple Training

Apple Platform Security - Apple Support

 

Duke78
New Contributor III

Thanks so much for all of this helpful information.

mm2270
Legendary Contributor III

FileVault simply wasn't designed with the idea of many users using the same device in mind. It's really best in a 1:1 scenario, and works poorly in a shared device scenario. And unfortunately (or maybe fortunately) there are no longer any 3rd party disk encryption tools for the Mac you can use. It's basically FileVault or nothing.

talkingmoose
Moderator
Moderator

Other folks have chimed in well about the behaviors of FileVault.

I’m always curious about statements like “I’m required to have my MacBooks disk encrypted..."

FileVault only protects data on the disk while the computer is turned off. Once someone has unlocked the computer, its job is done and the only security you have in place are macOS permissions.

Regardless of whether you’re receiving a mandate from somewhere else, do you really need to enable FileVault on computers shared by multiple users? Are they saving sensitive data to the computers that requires protection while they're turned off?

Duke78
New Contributor III

Nope, no sensitive data at all. I'm hoping this will be justification to exempt my lab from this requirement. 

AJPinto
Honored Contributor III

Honestly, if the devices will not be leaving a "secured" location. There is really no reason to enable FileVault.

 

The devices could be mounted in a manner where unauthorized personal could not simply pick them up and walk away, assuming this lab is not access controlled to begin with. DLP tools to prevent data exfiltration over USB drives or whatever, can also mitigate the ability to remove data from the devices.

mm2270
Legendary Contributor III

Yeah. It's a great question. With shared devices, it doesn't make much sense to consider data at rest encryption, since, as you stated, once the disk is unlocked, the data is no longer encrypted and is fair game. I can understand some of the concern when discussing laptops, which are more prone to walking off than say, a desktop iMac, etc. But there are ways to ensure that risk is minimized or even eliminated.

Trying to wedge FileVault into a lab style setting regardless of the type of devices is going to be, at the least, problematic, and at the worst, a nightmare to manage.