FileVault Encryption issues/suggestions for alternative encryption methods

rohan_aghi
New Contributor II

We require encryption as dictated by security.

Currently, in my environment, we use FV Encryption for our computers, but we're encountering a consistent issue of AD mobile accounts having issues with being populated properly in the FV login screen. It usually ends up requiring hands on interaction and adding the user manually through the fdesetup command, which we're obviously trying to avoid.

We're unable to suggest not binding computers to the domain, per another security authorization.

I ask, if we're unable to resolve the issue regarding AD mobile account integration to FV, what do you all use for encryption if you don't use FileVault?

5 REPLIES 5

marlink
New Contributor III

My institution is currently dealing with the same dilemma. Our CIO is mandating that we encrypt all of our computers, but in testing we are running into the same issues that you outlined above. To make matters worse, even hands-on setup via terminal commands doesn't always seem to work. We've run into more than one situation where the output of fdesetup says that the AD account is now authorized to decrypt the drive, but the user account does not show up at boot.

--And on computers that we've imaged (as opposed to zero-touch deployments) we are also running into issues with even turning Filevault on in the first place because of errors like "Authentication server refused operation because the current credentials are not authorized for the requested operation". That issue seems to be addressed here (https://support.apple.com/en-us/HT208171), but the solutions presented don't always help either.

I'm really hoping someone responds to this post with how they've solved these issues in their environment...

rohan_aghi
New Contributor II

@marlink My institution is looking into Apple Enterprise Connect as a possibility to verify syncing between an AD account and local accounts with a Mac. Has your institution considered incorporating Apple Enterprise Connect to see if it addresses the issues? I'm currently drumming a pros and cons list for AD binding, and if AEC interacts with it, it reduces a large number of negatives.

koalatee
Contributor II

The first account we setup is our admin account. Then when an AD user signs in I have this script in Self Service. It grabs the admin user + password, the current logged on user's password (mobile AD account), gives them SecureToken, adds to Filevault, and runs sudo diskutil apfs updatePreboot / which actually makes the AD user show up on the FV login screen.

In general, I'd recommend reading up on SecureToken
http://krypted.com/mac-os-x/using-sysadminctl-macos/

https://babodee.wordpress.com/2017/10/05/sysadminctl-changes-in-10-13/

https://derflounder.wordpress.com/2018/01/20/secure-token-and-filevault-on-apple-file-system/

And as always, come check out macadmins.slack.com! #filevault #jamfnation #macos and #highsierra would be great places to come have these discussions.

marlink
New Contributor III

@koalatee I've pored over that derflounder article in the past, but hadn't come across the others. Thanks for the links; I'll definitely be reading those next!

@rohan.aghi I'll have to give that a look. Thanks for the suggestion!

gachowski
Valued Contributor II

With the new T2 chip in the iMac Pro FileVault has changed, it's looking like it's going to be encrypted file by file like the iPhone and if that is the case then 3rd party options are really really going to have a hard time keeping up...

C