We require encryption as dictated by security.
Currently, in my environment, we use FV Encryption for our computers, but we're encountering a consistent issue of AD mobile accounts having issues with being populated properly in the FV login screen. It usually ends up requiring hands on interaction and adding the user manually through the fdesetup command, which we're obviously trying to avoid.
We're unable to suggest not binding computers to the domain, per another security authorization.
I ask, if we're unable to resolve the issue regarding AD mobile account integration to FV, what do you all use for encryption if you don't use FileVault?
My institution is currently dealing with the same dilemma. Our CIO is mandating that we encrypt all of our computers, but in testing we are running into the same issues that you outlined above. To make matters worse, even hands-on setup via terminal commands doesn't always seem to work. We've run into more than one situation where the output of fdesetup says that the AD account is now authorized to decrypt the drive, but the user account does not show up at boot.
--And on computers that we've imaged (as opposed to zero-touch deployments) we are also running into issues with even turning Filevault on in the first place because of errors like "Authentication server refused operation because the current credentials are not authorized for the requested operation". That issue seems to be addressed here (https://support.apple.com/en-us/HT208171), but the solutions presented don't always help either.
I'm really hoping someone responds to this post with how they've solved these issues in their environment...
@marlink My institution is looking into Apple Enterprise Connect as a possibility to verify syncing between an AD account and local accounts with a Mac. Has your institution considered incorporating Apple Enterprise Connect to see if it addresses the issues? I'm currently drumming a pros and cons list for AD binding, and if AEC interacts with it, it reduces a large number of negatives.
The first account we setup is our admin account. Then when an AD user signs in I have this script in Self Service. It grabs the admin user + password, the current logged on user's password (mobile AD account), gives them SecureToken, adds to Filevault, and runs
sudo diskutil apfs updatePreboot / which actually makes the AD user show up on the FV login screen.
In general, I'd recommend reading up on SecureToken
And as always, come check out macadmins.slack.com! #filevault #jamfnation #macos and #highsierra would be great places to come have these discussions.