FIleVault 2 and no SSO

jbainter
New Contributor II

Has anyone had to address a requirement that a username and password used to unlock a FileVault2 protected drive be different than the AD credentials at login window? Preferably a username and password is required rather than the icon(s) with username listed already.

9 REPLIES 9

rtrouton
Release Candidate Programs Tester

You should be able to address this on Mavericks by disabling automatic login. Apple has a KBase article describing how to do this:

http://support.apple.com/kb/HT5989

bentoms
Release Candidate Programs Tester

@jbainter, I guess you could set the unlocking user account to logout once logged in.

The you'll get the login window again.

BUT, I'm sure @rtrouton has seen this or has posted about it.

jbainter
New Contributor II

Hi, thanks for the responses.

The issue is that FV2 gives the screen with the user list. Turning off SSO will bring you to the normal OSX sign in instead of signing directly in since FV2 uses cached credentials. The customer is looking for something like PGP. This is a separate password to even post the system.

Thanks,
James

mm2270
Legendary Contributor III

What you're requesting is something we've also requested to Apple a couple of years ago, and with each version of OS X over the last few years, the request is still being "reviewed" I'm equally irked by the fact that we can't display a Username & Password field for the FV2 screen instead of user icons. Its just baffling that something designed for security essentially reveals a list of usernames that can unlock the encrypted Mac right at the pre-boot screen - half the secret to getting in. How Apple actually sees that as "secure' is beyond me.

Unfortunately, if you use FileVault 2, there isn't an easy way around this. You could try setting up FileVault with an LDAP account that is actually disabled on the server side for login, so it would end up hitting the non FV2 login screen (username & password) just as it would if the FV2 password is out of sync with the AD account, but I'm not sure that would actually work.

JPDyson
Valued Contributor

Rich gave you the answer, at least the key bit:

  1. Disable auto-login (reference the link he posted)
  2. Create a separate local account JUST for unlocking the system and enable for FileVault
  3. Do not enable any other accounts for FileVault

You'll boot and be presented with only whatever username you give this account from step 2, and a password field. The user will type the password, and then be taken to the typical OS login window (where you have the option to require they enter both a username and password; up to you).

This is our proposed solution for shared Macs. If you want to get cute, you can make it so that if anybody logs into this FileVault unlocking account, they're immediately logged back out to discourage them from using it for anything other than POA.

jbainter
New Contributor II

We will run this by the customer and see if that will appease their security team :)
Thanks everyone !

bentoms
Release Candidate Programs Tester

@rtrouton.. haha same time.. knew you'd be on it!

jbainter
New Contributor II

@JPDyson the last part of your response " you can make it so that if anybody logs into this FileVault unlocking account, they're immediately logged back out ", do you already know of or have a script for that? Or do you do that via another method. One issue is the customer does not allow for configuration profiles as they won't open up the network to the APN range..

JPDyson
Valued Contributor

@jbainter Haven't put it together yet; one idea I had was a simple launch agent that performs a logout.