File Vault Mac OS Sonoma

Giannini
New Contributor II

New to this community so please be kind. I have noticed that if i enable File Vault i can no longer remote desktop onto that machine. 

I use apple remote desktop to manage a lot of Macs, so is there a workaround?

5 REPLIES 5

sdagley
Esteemed Contributor II

In a word, no, you cannot remotely access a Mac with FileVault enabled. In basic terms until a user physically logs in to a Mac at the FileVault unlock screen macOS isn't fully running and you can't connect to it remotely.

AJPinto
Honored Contributor III

When a Mac with FileVault enabled reboots, the device comes to the FileVault unlock screen. This FileVault unlock screen has no network connectivity, and must be cleared locally. If you are familiar with Windows, think of it like remoting on to a device at the BitLocker screen (leaving things like Intel V out of the conversation as Apple has no ILO functionality in anything aside of the Mac Pro).

 

You are able to bypass FileVault though. If you need to reboot a computer remotely, you can do so with the fdesetup authrestart command, this will skip the FileVault screen on the next reboot. The only thing this cannot bypass is OS updates.

sudo fdesetup authrestart -delayminutes -1
 

 

Giannini
New Contributor II

brilliant thank you. i now need to work out how to distribute FV across my jamf inventory without giving local users a secure token. 

AJPinto
Honored Contributor III

It's not possible. Only a user with a Secure Token can enable FileVault, and only a user with a Secure Token can log in to FileVault. You could log in with the local admin account on the devices to manually enable FileVault, but users could not log in to FileVault when the device rebooted.

 

*Intel Macs don't use Secure Tokens, but they are mostly aged out by this point.

sdagley
Esteemed Contributor II

As @AJPinto noted that's not going to work because you must have at least one user account with a Secure Token on an Apple Silicon Mac.

I'll also point out that using

fdesetup authrestart 

 to force a restart that will log back in using the provided credentials of a FileVault user is of very limited use because it is not a persistent setting. If a user restarts the Mac themselves instead of you sending the authrestart then the Mac will boot into the FileVault lock screen and you'll have no access.