FileVault2 Admin questions

New Contributor III

I'm working to get FileVault 2 encryption enabled on all laptops. I’ve gotten FV2 JSS policies working and all seems to be going well. The plan is to have users run a self service policy to enable FileVault 2 encrytion. That policy uses the a Disk Encryption config to apply the “Institutional And Individual” recovery key.

I am a little confused about administering FV computers. Users are creatives/professionals typically with an assigned machine. We currently run 10.9.5, and have a local admin account on the machine as well as an admin account created for casper. Users are all active directory accounts.

While laptops are typically assigned to a single user, there are times when I need to get into a laptop for admin purposes. if I’ve only added the main user as a FileVault2 account (+institutional), I’ll have a bit longer of a process (go to jss, get individual recovery key, unlock using Individual’s Key, or use institutional key) to gain access to the machine if it's FV2 locked.

If I add a local admin account, it shows at the FV2 unlock. Plus I’m not sure of what considerations there are with having a local admin account enabled for FV2.

Does anyone care to weigh in on the pro’s/cons of having a local admin account enabled for FV2 in addition to the primary user(s)?


Legendary Contributor III

As you've discovered, as soon as you start to go the route of encrypting your Macs via FileVault 2, things gets complicated when it comes time later if you need access to the system.

We've chosen to only have a single account in most cases (for single user systems) that is authorized to unlock the Mac at boot time. If we need access to the Mac when the user is not around to log in, we use the Recovery key at the FV2 login screen. We really don't want to enable a local admin account to also be able to unlock the drive, since as it stands now, the FV2 login screen shows all user names in plain sight. If there ever comes a time when Apple figures out how to make the pre-boot login screen only show username & password fields instead, we may consider adding a local account to the authorized unlock list. But since it shows up right at the login screen, its a no-go for us. This constitutes one of my biggest grips on how FV2 works, but as it stands, it seems like Apple can't really figure out how to make it work any differently, which is pretty disappointing.

Valued Contributor III
Valued Contributor III

We have a policy in place that, as soon as a machine shows it has FV2 enabled, a local account (standard, non-admin) is created that is FV2-enabled user. It's called, very unoriginally, "FileVault 2 Admin." It's meant just to unlock the disk and does not have any other permissions on the machine. We can then log out and have the user log back in, or log in with the local admin that IS an admin on the machine, or whatever else.

Contributor III

We went the same route as @mm2270. One additional reason that we don't enable a common local account for FV2 is that it allows all of your FV2 machines to be unlocked with one password (more convenient, less secure).

New Contributor III

That makes sense. I'm not sure if we'll put a non-admin FVunlock account on the machines or not. I'll keep playing with the various scenarios with your suggestions in-mind.

Thanks all!