Filevault 2 enabling hidden management account and not passing secure token to next user

beeboo
Contributor

Essentially I have an enrollment script that calls on the custom trigger "FV2" to run, all using jamfhelper.

During DEP enrollment, user needs to auth to Okta then create a local account using setup assistant.  That user is an admin.

However, based on my current settings, the hidden management account gets the secure token and does not pass it off to the account created during setup assistant.

That poses a problem as now users can see the name of the hidden account, and its also kinda ugly.  Secondly, without a secure token i have to push a script that uses osascript to have the user auth to get the token.

The goal, if possible is to keep the management account hidden, though that seems more and more impossibly as thats the account needed to auth to FV2 if a user is termed.

I also dont want to pester users to auth to osascript to enter their creds as its understandably sketch.

 

Here is my prestage enrollment

Screen Shot 2021-08-26 at 7.07.11 PM.png

 unsure if i need to check "Make the local admin account MDM enabled" or not

Additional oddity is that Filevault is shown as an option to skip in prestage but NOT editable/selectable when i edit the page

Screen Shot 2021-08-26 at 7.06.08 PM.png

Screen Shot 2021-08-26 at 7.06.16 PM.png

FV2 policy

Screen Shot 2021-08-26 at 7.05.24 PM.png

 

FV2 config

Screen Shot 2021-08-26 at 7.05.14 PM.png

Any ideas on what I could be missing?

The worst part is that it seemed to be working when the old script called on DEPNotfify but I have since changed to jamfHelper so that I rely more on native apps.

 

Based on everything I've seen here, it looks to be correct and should work accordingly, but when i look at new hires and also the FV2 log:

  1. hidden management account is FV2 enabled
    1. FileVault 2 Enabled Users: tdyyXxxxxxXXXXXXXXX
  2. Disk is not encrypted
  3. The admin (setup assistant user) isnt on the enabled users
  4. Bootstrap token is no escrowed to server for any of our devices, working or not
  5. securetoken is DISABLED for the user
  6. Logs from the only FV2 enrollment show
    1. Executing Policy [Enrollment] FileVault 2

      FileVault is Off. Deferred enablement appears to be active for user '$USER'.

 

4 REPLIES 4

AJPinto
Honored Contributor II

On macOS 11 Apple changed FV to where it gives the very first user on the Mac the Secure Token, which may be what you are seeing. The only way to prevent what you are seeing as I understand it is to differ enabling FileVault until after the user logs in.

 

If you are using mobile accounts that brings in the bootstrap token and a whole different set of complications. However the waiting until after the user logs in to turn on FileVault is still the best practice. 

 

I have found FileVault to be incredibly messy and not enterprisable in the slightest. I really wish they would give an option to separate FileVault authentication from the user account kinda like how BitLocker does. That or let us programmatically grant access to FV without needing to manually can credentials in a script to pass around a token. This entire KEK Secure/Bootstrap token thing just does not work.

@AJPinto forgot to add, accounts are local and not mobile.

I mean we technically can use a token, namely in the form of the management account creds LOL, but it certainly is not scalable and without issues

pkleiber
Contributor

Hi @beeboo  please check out this apple support article:

https://support.apple.com/guide/deployment-reference-macos/using-secure-and-bootstrap-tokens-apdff2c...

Which macOS version do you deploy?

beeboo
Contributor

@pkleiber you are referring to this part right?

all accounts are local

devices are shipped directly to the user and ABM 

then they set it up per the prestage enrollment.

 

We are deploying mainly big sur, but there are the occasional Catalinas out there.

 

so this line would be added to my enrollment script targeting the account created during setup assistant and not the hidden management account ya?

sudo dscl . append /Users/<user name> AuthenticationAuthority ";DisabledTags;SecureToken"