Posted on 10-28-2016 05:19 AM
My client has a requirement to encrypt their Macs after they are built at a 3rd party build site. They should then be shipped to the users encrypted and the users should be passed the credentials separately to decrypt the device. This requirement is so that they can be confident that the devices have not been intercepted on route to the end user and had the hard drive extracted to inject malware.
The intention is that the users then logout of the Mac and login with their AD credentials. Upon this initial AD login they want the users AD account to be enabled for FileVault and the build account that was enabled for FileVault to be disabled/deleted.
Passing any form of passwords to the device does not meet their security policy, nor does enabling FileVault for the Casper Management account (as they cannot have it showing on the pre-boot FileVault screen).
I have been unable to find any solution to this. Is it possible or am I wasting my time until Apple give us an option for a username and password FileVault pre-boot screen?
My current plan is to have someone on the HelpDesk connect remotely and enable FileVault for the user's AD account manually. Labour intensive, but secure and reliable. Does anyone have any better ideas?
Posted on 10-28-2016 07:14 AM
Once encrypted you have no options to modify that enterprise unfriendly, crummy pre-boot authentication window that exist today with the icon view and name of authorized user(s).
I don't think this is going to change anytime before we see the new encryption scheme that develops next year with the new Apple File System. Best I can tell, with that, encryption will be standard and our methods and means of managing will change substatially.