Posted on 06-13-2024 05:55 AM
Hello,
I would like to have your opinions on a subject concerning FileVault computers that need to be sent to an external customer after-sales support.
What is the best procedure knowing that our managers want the devices to be sent to the external support service encrypted.
These Macs only have one FV user account and SecureToken, that of the end-user whose password we don't know.
The only local admin account created during the prestage is managed by LAPS.
What would you advise me?
Thank you
Solved! Go to Solution.
Posted on 06-13-2024 07:47 AM
There is not really a way to do what you are asking by Apples design.
The only way to give a FileVault token to someone, is by using the username and password of an account with a FileVault token. The user then needs to enter their username and password to accept the token. Without the user knowing the password of your local admin account, they cannot get past FileVault to log in to macOS. Once logged in to macOS, the user would need the local admin credentials one more time to give themselves a FileVault token.
It is technically possible to script some of this. If the local admin accounts username and password are known and static, you can hard code them in a script with fdesetup. The script still needs the user's username and password; the username can be found with a variable simply enough, but the password must be provided by the user with some kind of ask popup with AppleScript and written down to the script as a variable. Due to this workflow needing both the local admin password AND the user's password it's a pretty big security risk.
Apples design is to have the user enable FileVault. Any method to try to get around this requires the user either knows the local admin credentials, or you have a tech perform heavy touch deployments to manually grant FileVault access.
Posted on 06-13-2024 07:47 AM
There is not really a way to do what you are asking by Apples design.
The only way to give a FileVault token to someone, is by using the username and password of an account with a FileVault token. The user then needs to enter their username and password to accept the token. Without the user knowing the password of your local admin account, they cannot get past FileVault to log in to macOS. Once logged in to macOS, the user would need the local admin credentials one more time to give themselves a FileVault token.
It is technically possible to script some of this. If the local admin accounts username and password are known and static, you can hard code them in a script with fdesetup. The script still needs the user's username and password; the username can be found with a variable simply enough, but the password must be provided by the user with some kind of ask popup with AppleScript and written down to the script as a variable. Due to this workflow needing both the local admin password AND the user's password it's a pretty big security risk.
Apples design is to have the user enable FileVault. Any method to try to get around this requires the user either knows the local admin credentials, or you have a tech perform heavy touch deployments to manually grant FileVault access.
Posted on 06-13-2024 08:07 AM
OK, I understand.
Thank you for your help.