Posted on 03-06-2014 11:27 AM
Has anyone had to address a requirement that a username and password used to unlock a FileVault2 protected drive be different than the AD credentials at login window? Preferably a username and password is required rather than the icon(s) with username listed already.
Posted on 03-06-2014 11:31 AM
You should be able to address this on Mavericks by disabling automatic login. Apple has a KBase article describing how to do this:
Posted on 03-06-2014 11:31 AM
Posted on 03-06-2014 12:21 PM
Hi, thanks for the responses.
The issue is that FV2 gives the screen with the user list. Turning off SSO will bring you to the normal OSX sign in instead of signing directly in since FV2 uses cached credentials. The customer is looking for something like PGP. This is a separate password to even post the system.
Thanks,
James
Posted on 03-06-2014 12:31 PM
What you're requesting is something we've also requested to Apple a couple of years ago, and with each version of OS X over the last few years, the request is still being "reviewed" I'm equally irked by the fact that we can't display a Username & Password field for the FV2 screen instead of user icons. Its just baffling that something designed for security essentially reveals a list of usernames that can unlock the encrypted Mac right at the pre-boot screen - half the secret to getting in. How Apple actually sees that as "secure' is beyond me.
Unfortunately, if you use FileVault 2, there isn't an easy way around this. You could try setting up FileVault with an LDAP account that is actually disabled on the server side for login, so it would end up hitting the non FV2 login screen (username & password) just as it would if the FV2 password is out of sync with the AD account, but I'm not sure that would actually work.
Posted on 03-06-2014 01:18 PM
Rich gave you the answer, at least the key bit:
You'll boot and be presented with only whatever username you give this account from step 2, and a password field. The user will type the password, and then be taken to the typical OS login window (where you have the option to require they enter both a username and password; up to you).
This is our proposed solution for shared Macs. If you want to get cute, you can make it so that if anybody logs into this FileVault unlocking account, they're immediately logged back out to discourage them from using it for anything other than POA.
Posted on 03-06-2014 02:19 PM
We will run this by the customer and see if that will appease their security team :)
Thanks everyone !
Posted on 03-06-2014 02:50 PM
@rtrouton.. haha same time.. knew you'd be on it!
Posted on 03-07-2014 11:19 AM
@JPDyson the last part of your response " you can make it so that if anybody logs into this FileVault unlocking account, they're immediately logged back out ", do you already know of or have a script for that? Or do you do that via another method. One issue is the customer does not allow for configuration profiles as they won't open up the network to the APN range..
Posted on 03-07-2014 11:27 AM
@jbainter Haven't put it together yet; one idea I had was a simple launch agent that performs a logout.