Enabling FileVault 2 for an admin user

JureJerebic
Contributor

Hi everyone,

I've set up a test PreStage Enrollment, where a local admin account is created. In addition to that account, the local user account that gets created during the Setup Assistant, is a standard account (we don't allow our users to be admins). Our FileVault 2 configuration profile is set to be enabled at login, which works fine for the standard user. The first time this user logs out and logs back in, the FV2 is enabled. However, that leaves the admin user, which is still not FV2 enabled. How can we remotely enable FV2 for this user, without the end user having access to the admin user's credentials and logging into that account, just to enable FV2?

Thanks!

10 REPLIES 10

Tribruin
Valued Contributor II

There really is no easy way to do this. You could prompt the user for THEIR password in a script and then use the:

sysadminctl -secureTokenOn

command to enable a Secure Token. But that would require passing the admin's password in your script (or as arguments in Jamf). That is a very bad idea. 

FWIW, we don't worry about SecureToken for the admin. If a user forgets his password (the reason you most likely need to have the admin login after a reboot), we just use the PRK to unlock drive and reset the user password. 

What is PRK and how do we use it?

gachowski
Valued Contributor II

@JureJerebic 

I wouldn't recommend creating the 1st user as admin like that.. There is an Big Sur bug that Apple won't fix that will cause the set up assistant to crash that was supposedly fixed in Monterey ( I don't believe that it is) ...  and the with the move to Apple silicon the idea of users not being admins is way more complicated than it's ever been  ... read this the section about Volume ownership.

https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/web

With Apple thinking like this it's easy to see that if we do user management on the device we could be making a good decision now for Monterey, however it could break when the next major upgrade is released and there is no solution to fix/change the user config a head of time.

 

Sorry that I am making it worse.. but I would guess that in a few years everyone is going to have to be admin....

C

JureJerebic
Contributor

After reaching out to Jamf support, they gave me this link, which also helps a lot and comes to the same conclusions as you guys:

https://travellingtechguy.blog/additional-admin-with-securetoken-or-not/

janzaldua
Contributor

I'm also curious to know how to enable FileVault 2 for the local admin account, without any user intervention. The main reason we need the 'admin' account to be FileVault 2 enabled is due to CyberArk's installation. When using the commands -u & -p, it requires the 'admin' account to have a Secure Token (within FV2).

Tribruin
Valued Contributor II

Can not be done as mentioned above. Either the admin user needs to login using their account (assuming a bootstrap token is escrowed) or a user with a Secure Token enables a ST for another user (which needs the user's password.) 

What are you running in to with CyberArk? We are in the process of rolling and haven't needed to worry about having a separate admin account. But, we haven't done more than install it with a basic policy. I am curious what you are trying to do. 

Hi thanks for the reply! According to CyberArk, the -adminUser & -adminPassword are required when creating the PKG. If they aren't included, devices will not get added in the vault and the password will not rotate. Is this not true?

Within CyberArk's Documentation, if you use -adminUser, a Secure Token (FileVault) is required.

Screenshot 2022-12-19 at 11.40.01 AM.png

This comes from their documentation here: https://docs.cyberark.com/Product-Doc/OnlineHelp/EPM/Latest/en/Content/Installation/macOS-InstallAge...

And in order to enable that FileVault Secure Token for the local admin user account, it requires manually intervention from each user. And that isn't an option considering we have 800+ MacBooks to configure.

This used to be possible in Jamf...

Screenshot 2022-12-19 at 10.47.51 AM.png

But ever since we upgraded way past 10.13, we are unable to use this Jamf method.

Tribruin
Valued Contributor II

Is that to handle password rotation? I didn't build the installer for CyberArk for our environment, so I am not that familiar with the need for an admin username / password. I will have to ask my associate. 

Yes, I believe it is to handle the credential rotation, as well as check-in to the CyberArk Vault.

Screenshot 2022-12-19 at 3.34.24 PM.png

I also just noticed there's an environment parameter option. Where would I put that within Jamf? This may be the solution to my issue.