FileVault on shared workstations

mrhollywoodgate
New Contributor II

We're starting to encrypt all Macs with FileVault 2, and I'm curious how other people approach the project, specifically in regards to shared workstations.

For single-user computers, FileVault is no problem, since you can just enable the one user.

However, working at a University, we have many computers that are shared - an iMac that multiple student workers can login to, for example.

Typically, we control authentication to the shared workstation via Active Directory Group - if the user is part of the correct group that's been given access to the computer, they can login. However, for FileVault, I can't enable a group, only individual users, and FileVault can't communicate with my domain server. This means that an IT admin would have to go and enable each user for FileVault, and get them to enter their password, and do that all over again each semester as student workers change.

So, do you encrypt every computer no matter what? Or do you only target single-user computers? Or only Laptops?

If you do encrypt every computer, how do you handle shared workstations? Do you not allow them? Or do you script something to add every new user to FileVault automatically? Or do you make them use Windows with BitLocker, which does support AD groups? (we're a mixed campus, with about 50/50 PC to Mac ratio)

I'm more looking for a general idea of what people have done so I can adapt some strategy to fit my environment, so any ideas will be appreciated!

4 ACCEPTED SOLUTIONS

mm2270
Legendary Contributor III

I'm not sure I see the value of encrypting Macs that are not specifically mobile. If the Macs you're describing are sitting in a lab or are desktop Macs, like iMacs, it may not make much sense to FileVault 2 encrypt them, especially since you will be constantly needing to add student accounts in to the FV2 authorized list, which as you found, isn't so easy to do (although there are ways to do it)
If there are concerns about them being stolen it might make more sense to invest in a Kensington lock for each one and just lock them to a desk to discourage any possible theft that may occur.

OTOH, Mac laptops, especially if they are assigned to a single user who takes them with them, probably should be encrypted since they may be leaving the facilities and have a much higher chance of being stolen or lost.

Just my 2¢ on this topic.

View solution in original post

cmarker
Contributor

I'm in a very similar situation (Higher Ed, about 50/50 environment), we go the path of encrypting all of our Mac computers unless we know specifically that the machine is going into a shared space, then we use a Kensington lock to secure the device physically.

Not strictly ideal, but it does meet the letter of our requirements.

View solution in original post

emily
Valued Contributor III
Valued Contributor III

Yeah… in our org we only BitLocker/FV2 mobile machines (laptops). Desktops are behind a proximity wall so we don't encrypt them as they are stationary and within a secure premises. A physical lock would probably be the way to go when it comes to non-mobile machines.

View solution in original post

wyip
Contributor

I'm at a University/hospital where we need to encrypt EVERYTHING that touches our network, but we do have an exception process that goes through IT Security & Policy. This was mainly intended for shared workstations, like in your case, and presentation laptops and such.

Basically the owner of the computer signs something that says that they are personally liable for any breach of data that might occur due to the device being unencrypted, and they are required to demonstrate that they've put in additional security controls or that there really is a low risk to having these computers unencrypted. e.g. For computers in the labs run by the Library, they use Deep Freeze so no user data actually resides on the disks. For mac minis and laptops in conference rooms, they're super locked down in the Guest account and can basically only run Powerpoint/Keynote and browse to external websites (no access to the internal network). Being locked to a desk and in a locked office is usually not good enough for our S&P team to grant the request. We've had some faculty try to put their own computers through the exception process, but they get shot down pretty quickly.

View solution in original post

5 REPLIES 5

mm2270
Legendary Contributor III

I'm not sure I see the value of encrypting Macs that are not specifically mobile. If the Macs you're describing are sitting in a lab or are desktop Macs, like iMacs, it may not make much sense to FileVault 2 encrypt them, especially since you will be constantly needing to add student accounts in to the FV2 authorized list, which as you found, isn't so easy to do (although there are ways to do it)
If there are concerns about them being stolen it might make more sense to invest in a Kensington lock for each one and just lock them to a desk to discourage any possible theft that may occur.

OTOH, Mac laptops, especially if they are assigned to a single user who takes them with them, probably should be encrypted since they may be leaving the facilities and have a much higher chance of being stolen or lost.

Just my 2¢ on this topic.

cmarker
Contributor

I'm in a very similar situation (Higher Ed, about 50/50 environment), we go the path of encrypting all of our Mac computers unless we know specifically that the machine is going into a shared space, then we use a Kensington lock to secure the device physically.

Not strictly ideal, but it does meet the letter of our requirements.

emily
Valued Contributor III
Valued Contributor III

Yeah… in our org we only BitLocker/FV2 mobile machines (laptops). Desktops are behind a proximity wall so we don't encrypt them as they are stationary and within a secure premises. A physical lock would probably be the way to go when it comes to non-mobile machines.

wyip
Contributor

I'm at a University/hospital where we need to encrypt EVERYTHING that touches our network, but we do have an exception process that goes through IT Security & Policy. This was mainly intended for shared workstations, like in your case, and presentation laptops and such.

Basically the owner of the computer signs something that says that they are personally liable for any breach of data that might occur due to the device being unencrypted, and they are required to demonstrate that they've put in additional security controls or that there really is a low risk to having these computers unencrypted. e.g. For computers in the labs run by the Library, they use Deep Freeze so no user data actually resides on the disks. For mac minis and laptops in conference rooms, they're super locked down in the Guest account and can basically only run Powerpoint/Keynote and browse to external websites (no access to the internal network). Being locked to a desk and in a locked office is usually not good enough for our S&P team to grant the request. We've had some faculty try to put their own computers through the exception process, but they get shot down pretty quickly.

mrhollywoodgate
New Contributor II

Thanks for all the replies! This is very helpful.