Posted on 07-31-2024 04:31 AM
New to this community so please be kind. I have noticed that if i enable File Vault i can no longer remote desktop onto that machine.
I use apple remote desktop to manage a lot of Macs, so is there a workaround?
Posted on 07-31-2024 04:48 AM
In a word, no, you cannot remotely access a Mac with FileVault enabled. In basic terms until a user physically logs in to a Mac at the FileVault unlock screen macOS isn't fully running and you can't connect to it remotely.
Posted on 07-31-2024 04:54 AM
When a Mac with FileVault enabled reboots, the device comes to the FileVault unlock screen. This FileVault unlock screen has no network connectivity, and must be cleared locally. If you are familiar with Windows, think of it like remoting on to a device at the BitLocker screen (leaving things like Intel V out of the conversation as Apple has no ILO functionality in anything aside of the Mac Pro).
You are able to bypass FileVault though. If you need to reboot a computer remotely, you can do so with the fdesetup authrestart command, this will skip the FileVault screen on the next reboot. The only thing this cannot bypass is OS updates.
sudo fdesetup authrestart -delayminutes -1
Posted on 07-31-2024 06:26 AM
brilliant thank you. i now need to work out how to distribute FV across my jamf inventory without giving local users a secure token.
Posted on 07-31-2024 07:42 AM
It's not possible. Only a user with a Secure Token can enable FileVault, and only a user with a Secure Token can log in to FileVault. You could log in with the local admin account on the devices to manually enable FileVault, but users could not log in to FileVault when the device rebooted.
*Intel Macs don't use Secure Tokens, but they are mostly aged out by this point.
07-31-2024 08:05 AM - edited 07-31-2024 08:05 AM
As @AJPinto noted that's not going to work because you must have at least one user account with a Secure Token on an Apple Silicon Mac.
I'll also point out that using
fdesetup authrestart
to force a restart that will log back in using the provided credentials of a FileVault user is of very limited use because it is not a persistent setting. If a user restarts the Mac themselves instead of you sending the authrestart then the Mac will boot into the FileVault lock screen and you'll have no access.