Disk Encryption Management- Looking for Advice on Best Practices

danbaver
New Contributor III

Hello,

I am in the midst of a Jamf PoC and am looking for some advice on File Vault configuration.

I currently have two machines in my test environment: one running 10.12.6; the other 10.13.3. I created a configuration to enable FileVault with Enabled FileVault User set to "Current or next user."

It worked perfectly on the 10.12 machine, but not 10.13. I know there's a bug with 10.13 that prevents Active Directory users from activating FileVault. Is there any way around this within Jamf?

I am also curious to know if there is any strategy to handle machines that already have FileVault enabled.

Thanks in advance!

-Dan

10 REPLIES 10

blackholemac
Valued Contributor III

@rtrouton is the best FileVault expert I know. I tagged him hoping he’ll chime in with advice as he is on these boards.

arivera
New Contributor III

I need to set up FileVault2 for all incoming new users, the person before me apparently attempted to do this but was not able to achieve it successfully. I hope @rtrouton shows up!

danbaver
New Contributor III

@arivera I'm making some good progress. I'll report back here once I have things running (more or less) smoothly.

I assume all your new users are running Macs with 10.13?

PhillyPhoto
Valued Contributor

This is why I'm trying to have users hold off from upgrading to 10.13 completely. Apple changed a lot when it came to encryption this time around.

The best part? We use the python create user script to create a local admin account when imaging. The problem with that? Users created via CLI don't get a secure token and can't enable FileVault! Domain users can't either, so on 10.13.2+ we can't enable FV....

I'm currently working on a domain device in which I created an Admin account via System Preferences, and still don't have permission to enable FileVault. When I run:

sudo sysadminctl -secureTokenStatus adminaccount

from Terminal, I get:

2018-03-09 10:44:40.716 sysadminctl[15494:73011] Failed to authenticate with SystemAdministration framework.

Oh, and forget about using the FileVault key redirection payload in a configuration profile too. It will explicitly deny you from enabling FV if that's installed.

arivera
New Contributor III

@danbaver Great! All new users are on High Sierra and I going to be rolling out a company wide High Sierra upgrade soon just running tests right now!

danbaver
New Contributor III

@PhillyPhoto You have to run it this way:

sudo sysadminctl interactive -secureTokenStatus someUser

Which makes it tricky to script so it would otherwise run without user interaction.

PhillyPhoto
Valued Contributor

@danbaver I run it with the interactive flag:

sudo sysadminctl interactive -secureTokenStatus adminuser

And get the popup asking for credentials to "unlock the drive" and it shows the following in stout:

2018-03-09 13:53:03.545 sysadminctl[58469:213513] ### Error:-14090 File:/BuildRoot/Library/Caches/com.apple.xbs/Sources/Admin/Admin-674/DSAuthenticator.m Line:94
2018-03-09 13:53:03.551 sysadminctl[58469:213513] Secure token is ENABLED for user adminuser

But I'm still not authorized to enable encryption after performing:

  1. System Preferences
  2. Security & Privacy
  3. FileVault
  4. Unlock
  5. Turn On FileVault...
  6. Create a recovery key and do not use my iCloud account
  7. Continue

I get a pop-up saying "Authentication server failed to complete the requested operation."

In Terminal, manually running "sudo fdesetup enable" and entering the admin account name and password it says "Error: A problem occurred while trying to enable FileVault. (-69556)"

danbaver
New Contributor III

Okay, I believe I have it working! Using this script:

https://github.com/ToplessBanana/tutorials/tree/master/HOW-TO-self-service-filevault-and-securetoken

There are a few tweaks to make for 10.13.3.

First, under the section:

# Uses AppleScript to prompt the currently logged in user for their account password.

You need to move the closing parenthesis below EOT, so...

return pwd
end if
end tell
EOT
)

Then in the enableSecureToken section, add the interactive flag:

enableSecureToken() {
    sudo sysadminctl interactive -adminUser $adminUser -adminPassword $adminPassword -secureTokenOn $userName1 -password $userPassword1
}

Make sure you follow all of his notes at the end. It didn't work for me at first, but then I started over and it works like a charm. Not sure what I did wrong the first time around.

Even though the interactive flag isn't needed for 10.13.2, it still works. It did not however work for 10.13, for what it's worth.

KSchroeder
Contributor

There is a bug in 10.13.x that is supposedly fixed in 10.13.4 (probably out by end of month) that should fix this issue with Mobile (Active Directory) accounts. But, still really annoyed with Apple and Jamf that they've (I think, mostly Apple) made this so hard to do. Really with the leading Mac management platform, turning this stuff on should be pretty easy...but of course nothing is easy with Apple!

danbaver
New Contributor III

I've been discussing with the Jamf engineer I've been working with if this is a "feature" or a "bug" in macOS. We're inclined to think it's a feature, judging by the direction Apple has been moving with security.

My POC is over, and I'm just waiting for my company's legal department to do their thing so a PO can get signed and I can really get to work on this. If 10.13.4 breaks what I figured out here, I'm going to be annoyed. :)