Filevault 2 for AD

dletkeman
Contributor

Our school division is pushing for Filevault 2 on all Macs.  I'm tasked to figure out how to deploy this if it is feasible.  Our school division uses Active Directory.  I have so far tested enabling Filevault with a Configuration Profile configured as follows:

Filevault profileFilevault profile

I have also turned off automatic login while FileVault is on as per https://support.apple.com/en-vn/HT207431.

sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES

I have tested this with Catalina, Big Sur and Ventura Beta, I haven't got around to Monterey yet.  What I have found in Catalina and Big Sur is that only the Filevault users are listed and there is no username and password prompt for new users.  Ventura Beta does have a username and password prompt but even with automatic login turned off the computer does not connect to Wifi until someone logs in.

This would be fine if it was a one-to-one computer deployment but I need to deploy this to lab computers and laptops where there will be many new users logging in.

Is there a way to display a login prompt for macOS 10.15.7 and above?  And is there a way to authenticate to the network at the login screen?

I feel like I'm missing something.

If this can't be done I was wondering why not.

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

Hi there. When you ask "is there a way to authenticate to the network at the login screen?" by login screen, do you actually mean the FileVault login screen that comes up after a boot or reboot? Because if so, the answer is a hard No. At this stage in the boot process, there is no network stack. FileVault is full disk encryption, which means the OS has not even loaded when you are looking at that FileVault login screen. It's prompting for an authorized FileVault user's password to "unlock" the Mac drive and allow the OS to continue booting up. So, no, there's no way to get it to connect to your network at that point in the process.

If you meant something else by your statement above, then perhaps you can clarify that.

Except perhaps for some very special scenarios, using FileVault on lab computers is going to be an exercise in frustration. It's REALLY not designed for lab systems. FV2 is designed for one or at most, a couple of accounts to be allowed to use the Mac, not many users. It just doesn't scale well for lab setups.

View solution in original post

4 REPLIES 4

mm2270
Legendary Contributor III

Hi there. When you ask "is there a way to authenticate to the network at the login screen?" by login screen, do you actually mean the FileVault login screen that comes up after a boot or reboot? Because if so, the answer is a hard No. At this stage in the boot process, there is no network stack. FileVault is full disk encryption, which means the OS has not even loaded when you are looking at that FileVault login screen. It's prompting for an authorized FileVault user's password to "unlock" the Mac drive and allow the OS to continue booting up. So, no, there's no way to get it to connect to your network at that point in the process.

If you meant something else by your statement above, then perhaps you can clarify that.

Except perhaps for some very special scenarios, using FileVault on lab computers is going to be an exercise in frustration. It's REALLY not designed for lab systems. FV2 is designed for one or at most, a couple of accounts to be allowed to use the Mac, not many users. It just doesn't scale well for lab setups.

dletkeman
Contributor

Thanks.  You interpreted what I was saying exactly.  I also suspected from my research this was the case but I was hoping that I was missing something.  Thank you for the quick and clear response.

 

Duke78
New Contributor III

Did you find a workaround? I am in a similar scenario. 

@Duke78 we did not.  I can't see a solution that would work for us, so we are just not doing anything about it.  I haven't received any pushback so I guess management is ok with this security risk.  I'm not really sure what the alternative would be and there's higher priority tasks that have floated to the top.  Until I have pushback or have additional time on my hands this remains a low on my priority of things to address.