Jamf Nation Community

Taylor_Armstron · ‎12-21-2015

Bit of an odd requirement, but due to a smart-card log on requirement, we normally set up a service account to allow login at the FV2 screen, and then users log in at the regular screen using their smart-cards.

I'm attempting to set this up as a policy in the JSS, have our encryption config set up, have (for testing) a policy scoped to a couple of test systems, with the following options:

Disk encryption set to take "Apply Disk Encryption Configuration" as the action, and with our config selected as the configuration. So far, so good.

Next, I have Local Accounts set to create a local "FV Boot" service account, with "Enable user for FileVault 2" selected.

The issue seems to be the sequence. In the logs, it creates the FV Boot user, then gives an error adding them to FV2, as FileVault is off. It then goes on to add the JSS Management account (otherwise a hidden account) to FV, sets everything, etc. Upon reboot, the only active account is the management account, which users never have seen before.

Thoughts? I basically need to create the account, then enable FV, and THEN use fdesetup to add the user, but unsure of the best approach to making sure all things happen as part of the same policy.

mm2270 · ‎12-21-2015

I may be wrong here, since we don't use such a setup, but I believe in order to use the "Enable user for FileVault 2" option, the Casper management account must be enabled for FileVault as well, or I should say "first", which may be why its enabling the Casper service account as part of the steps, but then fails to add the local user account, since the management account must be enabled first.
If this is the case, you may need to script a process here instead of relying on some of the built in configuration options. The fdesetup command does allow you to enable FileVault and add a user at the same time. In fact, its a requirement. Its quite impossible to enable FileVault without also enabling a user for FileVault at the same time, since not doing so would effectively lock you out of the Mac.
If you use a Config Profile for Recovery key redirection to the JSS, you should be able to script a process that would create the local account, enable FileVault for that account and have the key escrowed into the JSS all at the same time. I just don't know if it would be possible using some of the GUI options in the JSS.

Taylor_Armstron · ‎12-22-2015

Thanks - yes, I know I could script it, and will probably go that route, it just "seemed" like the kind of thing that could be done through a policy fairly easily. Still wrapping my head around some of Casper's methodology... one of those things where I know that it CAN do just about anything I need, it just may not do in in the WAY I expect.

Given the way that Apple presents the users at the FV2 boot screen, I guess there's no way to "truly" hide the management account. I'd rather hide that from my users entirely, but I think this is a case where Apple's approach limits what JAMF can do.

merps · ‎12-22-2015

You shouldn't have to enable the management account to use FV2. We primarily have single user laptops and only the regular user is listed with FileVault. The accounts on the machine that aren't registered FV2 users are the hidden JSS management account and a local admin used by the support staff.

This is accomplished with a policy scoped to the machine containing a Disk Encryption payload.

The action is "Apply Disk Encryption Configuration", Encryption Config is "Enable FileVault for User Acct.", Require FileVault 2 is "At next login."

The Disk Encryption Config used in the policy is configured like this: (Settings -> Computer Management) is "Individual" and "Current or Next User"

We manually scope this each time a machine is provisioned, just after we create the user account (also manual). At this point, we reboot the machine and the user is prompted to activate FV2 during the login. They click OK and the encryption is configured with only the user available at the FV2 window.

I haven't tried to automate this or provide zero touch yet - we're waiting on DEP - but there's a chance this workflow can be updated to work with your constraints. Currently working as described with Yosemite.

Taylor_Armstron · ‎01-13-2016

Thanks @merps .

Unfortunately, due to the way we've implemented our smart-card solution, this is more or less a requirement for us. I need to be able to create a policy to enable FV2 (that's the easy part) but also to create a non-admin, non-management account which is then enabled for FV. Users need to use that account to get past the FV stage, and then insert their smart cards and login once reaching the regular login screen. (we're using "defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool -YES" to disable the FV auto-login sequence and have the laptops prompt for login once past the FV boot screen).

For any environment using smart cards or PIV authentication for login, with a requirement to use them (aka we can't fall back on our passwords) there needs to be a better way to enable other accounts - I'll see if I can figure out a better way to describe it and file a feature request. I can write a policy to create a local account easily enough, and under "Local Accounts" I can disable a given user for FV2, but I can't ENABLE one. Frustrating to say the least. I may play around with fdsetup to see if I can script it after the fact, but it would be awfully nice if I could just enable as easily as I can disable from the drop-down.

Enable FV2 while simultaneously creating a new user enabled for FV?