Help

Disk Encryption Management- Looking for Advice on Best Practices

danbaver
New Contributor III

Posted on ‎03-02-2018 09:25 AM

Hello,

I am in the midst of a Jamf PoC and am looking for some advice on File Vault configuration.

I currently have two machines in my test environment: one running 10.12.6; the other 10.13.3. I created a configuration to enable FileVault with Enabled FileVault User set to "Current or next user."

It worked perfectly on the 10.12 machine, but not 10.13. I know there's a bug with 10.13 that prevents Active Directory users from activating FileVault. Is there any way around this within Jamf?

I am also curious to know if there is any strategy to handle machines that already have FileVault enabled.

Thanks in advance!

-Dan

Reply
10 REPLIES 10

blackholemac
Valued Contributor III

Posted on ‎03-02-2018 09:56 AM

@rtrouton is the best FileVault expert I know. I tagged him hoping he’ll chime in with advice as he is on these boards.

Reply

arivera
New Contributor III

Posted on ‎03-08-2018 09:05 AM

I need to set up FileVault2 for all incoming new users, the person before me apparently attempted to do this but was not able to achieve it successfully. I hope @rtrouton shows up!

Reply

danbaver
New Contributor III

Posted on ‎03-09-2018 07:37 AM

@arivera I'm making some good progress. I'll report back here once I have things running (more or less) smoothly.

I assume all your new users are running Macs with 10.13?

Reply

PhillyPhoto
Valued Contributor

Posted on ‎03-09-2018 07:53 AM

This is why I'm trying to have users hold off from upgrading to 10.13 completely. Apple changed a lot when it came to encryption this time around.

The best part? We use the python create user script to create a local admin account when imaging. The problem with that? Users created via CLI don't get a secure token and can't enable FileVault! Domain users can't either, so on 10.13.2+ we can't enable FV....

I'm currently working on a domain device in which I created an Admin account via System Preferences, and still don't have permission to enable FileVault. When I run:

sudo sysadminctl -secureTokenStatus adminaccount

from Terminal, I get:

2018-03-09 10:44:40.716 sysadminctl[15494:73011] Failed to authenticate with SystemAdministration framework.

Oh, and forget about using the FileVault key redirection payload in a configuration profile too. It will explicitly deny you from enabling FV if that's installed.

0 Kudos
Reply

arivera
New Contributor III

Posted on ‎03-09-2018 08:10 AM

@danbaver Great! All new users are on High Sierra and I going to be rolling out a company wide High Sierra upgrade soon just running tests right now!

0 Kudos
Reply

danbaver
New Contributor III

Posted on ‎03-09-2018 10:07 AM

@PhillyPhoto You have to run it this way:

sudo sysadminctl interactive -secureTokenStatus someUser

Which makes it tricky to script so it would otherwise run without user interaction.

0 Kudos
Reply

PhillyPhoto
Valued Contributor

Posted on ‎03-09-2018 11:53 AM

@danbaver I run it with the interactive flag:

sudo sysadminctl interactive -secureTokenStatus adminuser

And get the popup asking for credentials to "unlock the drive" and it shows the following in stout:

2018-03-09 13:53:03.545 sysadminctl[58469:213513] ### Error:-14090 File:/BuildRoot/Library/Caches/com.apple.xbs/Sources/Admin/Admin-674/DSAuthenticator.m Line:94
2018-03-09 13:53:03.551 sysadminctl[58469:213513] Secure token is ENABLED for user adminuser

But I'm still not authorized to enable encryption after performing:

  1. System Preferences
  2. Security & Privacy
  3. FileVault
  4. Unlock
  5. Turn On FileVault...
  6. Create a recovery key and do not use my iCloud account
  7. Continue

I get a pop-up saying "Authentication server failed to complete the requested operation."

In Terminal, manually running "sudo fdesetup enable" and entering the admin account name and password it says "Error: A problem occurred while trying to enable FileVault. (-69556)"

0 Kudos
Reply

danbaver
New Contributor III

Posted on ‎03-22-2018 09:47 AM

Okay, I believe I have it working! Using this script:

https://github.com/ToplessBanana/tutorials/tree/master/HOW-TO-self-service-filevault-and-securetoken

There are a few tweaks to make for 10.13.3.

First, under the section:

# Uses AppleScript to prompt the currently logged in user for their account password.

You need to move the closing parenthesis below EOT, so...

return pwd
end if
end tell
EOT
)

Then in the enableSecureToken section, add the interactive flag:

enableSecureToken() {
    sudo sysadminctl interactive -adminUser $adminUser -adminPassword $adminPassword -secureTokenOn $userName1 -password $userPassword1
}

Make sure you follow all of his notes at the end. It didn't work for me at first, but then I started over and it works like a charm. Not sure what I did wrong the first time around.

Even though the interactive flag isn't needed for 10.13.2, it still works. It did not however work for 10.13, for what it's worth.

0 Kudos
Reply

KSchroeder
Contributor

Posted on ‎03-23-2018 02:23 PM

There is a bug in 10.13.x that is supposedly fixed in 10.13.4 (probably out by end of month) that should fix this issue with Mobile (Active Directory) accounts. But, still really annoyed with Apple and Jamf that they've (I think, mostly Apple) made this so hard to do. Really with the leading Mac management platform, turning this stuff on should be pretty easy...but of course nothing is easy with Apple!

0 Kudos
Reply

danbaver
New Contributor III

Posted on ‎03-26-2018 09:00 AM

I've been discussing with the Jamf engineer I've been working with if this is a "feature" or a "bug" in macOS. We're inclined to think it's a feature, judging by the direction Apple has been moving with security.

My POC is over, and I'm just waiting for my company's legal department to do their thing so a PO can get signed and I can really get to work on this. If 10.13.4 breaks what I figured out here, I'm going to be annoyed. :)

0 Kudos
Reply