Jamf Nation Community

tnielsen · ‎03-03-2017

I've decided, since 10.12.3 that it's time to upgrade my environment.

Part of this would mean allowing users to self-service install 10.12.3.

I've run into the problem of Filevault 2 Performance Authenticated Restart not working because my management account is not a user allowed to unlock the drive.

I have a casper management account on every computer (non-FV2 enabled)
I have a local admin account on every computer (FV2 enabled)

So it got me wondering, what if the local admin account that is FV2 enabled becomes my management account also?

This would solve the problem of my authenticate reboots failing. Does anyone see any problems with my logic?

alexjdale · ‎03-03-2017

I strongly believe that your Casper management account should be separate from any other account, with a password that is randomly rotated regularly. Best practice from a security standpoint.

That said, I thought authenticated restarts simply required the JSS to have a valid recovery key escrowed and didn't have an account requirement. The fdesetup authrestart command can take a recovery key or password.

Edit: Yep, just tested it, I was able to do an auth restart through JSS policy without the management account being FV-enabled.

tnielsen · ‎03-03-2017

Hmm, if that's the case then I need to figure out with authenticated restarts aren't working.

alexjdale · ‎03-03-2017

I've read somewhere that auth restarts might not work if there is no user logged in. Might be worth checking that out.

iJake · ‎03-03-2017

As @alexjdale said you only need a valid FV2 key for an authrestart. We have no management account in our environment.

tnielsen · ‎03-03-2017

We don't have the JSS storing the keys. This could be my problem.

Jamf Nation Community

Filevault 2, Authenticated Restarts and Management Accounts