FileVault 2 and AD network users deployment process

jhalvorson
Valued Contributor

Looking for ideas for deploying FileVault 2 enabled devices with AD network users.

I have the following processes at the ready, but support would like it to be easier.

Config Center: 1) New Mac imaged Mac with Casper Imaging - bound to Active Directory, local admin account and a "Temp" standard account created via post imaging script.
2) IT support logs into local admin, manually enables FileVault 2, manually enables Temp account for preboot login.
3) Waits for FV2 encryption to complete, runs Recon to record FV2 status in JSS.
4) Shuts down and device is sent to the end user.

User:
1) Required to call Help Desk for first time setup and only when connected via Ethernet to campus network.
2) User instructed to power on and login to the "Temp" account with password provided by Help Desk.
3) User told to log off, wait for red light to go away (network user availability)
4) Log in with User's Active Directory credentials.
5) Help Desk remotes to user's computer. a-Sets user's AD mobile account to be an "admin". (requires local admin account to complete, hence the reason to remote over.)
b-Enables users's AD mobile account for FV2 pre boot login within the Security & Privacy system pref. (User is prompted for their password
c-Deletes the "Temp" account
6) Instructs user to restart the computer to help verify they can get past the FV2 pre boot and to their desktop.

Most of the time we don't know who primary owner of the device is before sending it to their department, so we can't pre-populate local accounts or use scripts/policies that assume the first person to log in is the owner. In our environment, the primary user of the device is granted admin rights.

Any suggestions?

(Clients using Mac OS X 10.7.2, JSS is at v8.43)

11 REPLIES 11

krischelj
New Contributor

I have a question regarding this process...

When I enable FV, it disables the need to put in user ID. It reverts to clicking the user name and then typing in a password. In your process, you noted ".) b-Enables users's AD mobile account for FV2 pre boot login within the Security & Privacy system pref. (User is prompted for their password" Does this allow for the user to need to type in their ID and password at login? I need to be able to get that functionality back.

Also, it changed when my login legal banner appears. It used to appear before the log in window. After enabling FV, it appears after the user clicks on their and types their password. Any way I can get that back to before they log in?

Thanks in advance.

jhalvorson
Valued Contributor

Enabling FV2 does the behavior changes you mentioned. I refer to it as pre boot since it's before the OS is loaded, but Apple refers to it as the disk unlock and access stage. There is no option to change that from List of Users (icons) to show as "Name and password." If you unencrypted the drive, of course then you can set that behavior because it's the OS that is displaying the login. And yes, it also effects the legal banner presentation to the user.

The best information I have found concerning FileVault 2 is from Rich Trouton and his postings on http://derflounder.wordpress.com/

Watch his keynote presentation available here:
http://derflounder.wordpress.com/2011/11/10/slides-from-the-filevault-2-session-at-jamfs-2011-nation...
The keynote includes movie demo's, so you know what to expect with FV2.

When I ask our Apple assigned Engineer for everything they had concerning FV2 use in Enterprise, they pointed me to Rich's site, to [www.afp548.com](www.afp548.com) and to their Security document for Snow Leopard.

rtrouton
Release Candidate Programs Tester

Jason,

I think the process you've got outlined is pretty good at dealing with FileVault 2's current setup capabilities and avoids the help desk having to make a deskside visit. Hopefully, FileVault 2's user setup options improve in the future.

If you want to see all of my FileVault 2-related posts, you can use the following link:

http://derflounder.wordpress.com/category/filevault-2/

Thanks,
Rich

krischelj
New Contributor

Are there any suggested "best practice" 3rd party solutions for full disk encryption that is FIPS 140-2 compliant? From what I've read here, FV2 will not work for our environment. (sorry to hijack this thread)

rtrouton
Release Candidate Programs Tester

Jeff,

What are your requirements aside from FIPS 140-2? If you need to have username/password and login banner as mentioned above, that may rule out some encryption solutions.

Thanks,
Rich

krischelj
New Contributor

Hi Rich, I need to be able to type in a user name at log in (AD credentials) and not show the user accounts on the machine. I also need to have the password up to date from AD. From what I can tell now, if a user changes their password from another machine, and FV2 is enabled, the password would be the old password. Also, I am unable to log into the machine as another user unless the account has been cached locally before. Basically, I need to replicate how our Windows 7 users authenticate and make the user experience as close as possible on the Macs. Network login before FV2 encryption did this very well. I'm thinking there has to be a 3rd party soution that will do a full disk encryption but leave how the user logs into the machine alone.

Kumarasinghe
Valued Contributor

I'm also looking similar to this for corporate environment. Any tool of software to accomplish this?

Hi Rich, I need to be able to type in a user name at log in (AD credentials) and not show the user accounts on the machine. I also need to have the password up to date from AD. From what I can tell now, if a user changes their password from another machine, and FV2 is enabled, the password would be the old password. Also, I am unable to log into the machine as another user unless the account has been cached locally before. Basically, I need to replicate how our Windows 7 users authenticate and make the user experience as close as possible on the Macs. Network login before FV2 encryption did this very well. I'm thinking there has to be a 3rd party soution that will do a full disk encryption but leave how the user logs into the machine alone.

Bhughes
Contributor

Looking for the same functionality in a corporate, network user environment. Is there a good filevault alternative?

OrdinaryGeek
New Contributor

I know this thread is old, but I need to do precisely this now. To borrow the words of krischelj above, who stated it perfectly: "I need to be able to type in a user name at log in (AD credentials) and not show the user accounts on the machine. I also need to have the password up to date from AD". ..."Basically, I need to replicate how our Windows 7 users authenticate and make the user experience as close as possible on the Macs". Did anyone find a solution (third party or otherwise) to this?

brian_mccarthy1
New Contributor II

Bumping this. I'm in the same situation as OrdinaryGeek and krischelj. Need to use AD to authenticate and not cause issues with changing passwords, as well as not listing users at login.

Any solutions out there, third party or otherwise?

StoneMagnet
Contributor III

@brian_mccarthy When you're at the FV2 login screen, you're actually booted into the recovery partition on the machine with no network connectivity (at least on WiFi only devices, not sure what state wired machines are in at this point). You're not going to be able to connect to an AD server to authenticate with current credentials for anyone that already has an account on the machine, nor will you be able to log in any arbitrary AD user.