Posted on 05-18-2022 02:01 PM
I would like to create a user account with FileVault 2 enable from JAMF without the user interaction.
The case is that we have JAMF Connect under Okta and would like to have a bunch of laptops for multi-user purposes (shared computer).
Basically, we want to deploy JAMF Connect on laptops that are already in use (no problem so far). Then when a new user comes in and wants to login into the computer after a restart or shutdown he needs an account password or someone else to unlock FV and then get access to JAMF Connect so that he can login with his credentials (then will create his account automatically).
Problem is, that I would like to create a user with FileVault2 enable and a known password so that when a new user comes in and wants to log into the machine, he will enter that login and password (he will know the password) then unlock FV and then enter his credentials in JAMF Connect to login and all that without assistance.vv
So how can I create that type of user in JAMF through a script or something without anyone interaction and then I will share that same password with all.
Posted on 05-23-2022 12:30 PM
I understand what you're asking for and why you would want this - I ran into it recently as well. However, you're essentially asking for two conflicting things - the security of FV encrypting your data at rest and the convenience of anyone in your organization being able to access that data via the shared account; but the good practice these days from Apple seems to be to really consider your use case and why you need to do it and adjust your policy and implementations accordingly.
Going down the path of having Macs shared by multiple varying users with FileVault enabled is going to cause other complications. For example, you're going to get a call anytime a user who has logged into one of those Macs before, then changed their password from a different Mac, then comes back to that shared Mac - because either their local FV password is out of sync (if they still remember the previous password and think to try it) OR that they can't log into that Mac because it's not taking their current password. Sure, the generic account would solve these cases too, but again not the way Apple thinks this should be solved.
Are home folders stored as encrypted disk images still available? If so, that kind of gives you the best of both worlds - each user's data remains encrypted at rest and you then don't need this wonky FV kludge. Hm... looks like encrypted user homes are no longer built-in, and other implementations no longer work as indicated here: https://gist.github.com/chetstone/8a1294dc3aab9d494e5344dba94e09f0 ). I'd imagine you could do something with a script that creates the DMG on first login, sets it as a startup item to be mounted via keychain password, and moves / links all the usual folders inside ~ onto the DMG except the login items including mounting the DMG? Or maybe a loginhook script would be better...
Posted on 05-24-2022 01:30 PM
From a prior environment where I was able to get this going, you are going to need to make sure you've got a few things going. First is for this you are going to need to make sure that the connect profile sets all new users up as admins. You are also going to need to make sure you have another local account that's setup as an admin and that account is used as a bootstrap token on your MDM. From what I remember that should allowed for what you are looking for.