Filevault 2, Authenticated Restarts and Management Accounts

tnielsen
Valued Contributor

I've decided, since 10.12.3 that it's time to upgrade my environment.

Part of this would mean allowing users to self-service install 10.12.3.

I've run into the problem of Filevault 2 Performance Authenticated Restart not working because my management account is not a user allowed to unlock the drive.

I have a casper management account on every computer (non-FV2 enabled)
I have a local admin account on every computer (FV2 enabled)

So it got me wondering, what if the local admin account that is FV2 enabled becomes my management account also?

This would solve the problem of my authenticate reboots failing. Does anyone see any problems with my logic?

5 REPLIES 5

alexjdale
Valued Contributor III

I strongly believe that your Casper management account should be separate from any other account, with a password that is randomly rotated regularly. Best practice from a security standpoint.

That said, I thought authenticated restarts simply required the JSS to have a valid recovery key escrowed and didn't have an account requirement. The fdesetup authrestart command can take a recovery key or password.

Edit: Yep, just tested it, I was able to do an auth restart through JSS policy without the management account being FV-enabled.

tnielsen
Valued Contributor

Hmm, if that's the case then I need to figure out with authenticated restarts aren't working.

alexjdale
Valued Contributor III

I've read somewhere that auth restarts might not work if there is no user logged in. Might be worth checking that out.

iJake
Valued Contributor

As @alexjdale said you only need a valid FV2 key for an authrestart. We have no management account in our environment.

tnielsen
Valued Contributor

We don't have the JSS storing the keys. This could be my problem.