Posted on 01-29-2015 07:26 AM
Yo..
We're about to start piloting FileVault, however in addition to the main user being enabled for FV, we also need a management account enabled as well. Yes we can push out a policy to enable it for the management account, but that would expose the account name at the login screen.
So we thought we'd create and use another account called "Recovery"
Aside from setting the policy to run once per user, when setting up the policy, what do you guys recommend to make sure these 2 accounts are enabled for FV at first reboot upon pushing the policy?
Posted on 01-29-2015 07:35 AM
I'll be the first to jump in here.
We don't enable the management account on our environment as its hidden everywhere. Putting it as an authorized filevault user allows people to know its there. I know its been asked as a feature by apple before.
Instead, if we need to get into the users computer, we reset their password using the personal recovery key, stored in casper.
Posted on 01-29-2015 08:05 AM
We've gone the route of having the user, and our local admin account as FV2 Users.
On enrollment the admin account will be activated, then we add in the user to FV2 users.
On rolling out to current users we have a policy which creates the local admin account again with FV2 ticked (shows as failed if account is already there but still promotes the account)
Not the best looking and I'd love a better way. fdesetup -usertoadd localadmin script may be what you're looking for.
Posted on 01-29-2015 10:20 AM
If I had to have another account enabled at the FV login screen, I would use a non-admin account that only exists for that purpose. If that became compromised, at least there would be some security since it would not have root access, but someone with the appropriate credentials would be able to log into the real local administrator account from there.
Posted on 01-29-2015 10:47 AM
Hmm, that is actually not a bad idea at all @alexjdale. In fact, I might even go a step further and ensure the account has Parental Controls or other MCX/Config Profile controls in place to limit what it can do. Turn on Simple Finder for example, and restrict the applications the account can launch. Basically, make it something that can unlock the Mac from the FV2 boot screen, and log out, but very little else. From there, just log out and log back in at the regular OS X login screen to the actual local admin account.
Although we probably won't actually do anything like this, if we were tasked with having an additional account enabled for unlocking the drive, that's probably the route we'd take.
Posted on 01-29-2015 10:47 AM
+1 to everything everyone has said. I generally don't recommend FV2-enabling admin accounts. If you do need to unlock the disk and you don't have easy access to the individual or institutional users' recovery key, then create a non-admin user that can unlock the disk. Unlock the disk as them, log out, log back in as your local admin, problem solved.