Help

FileVault2 Current user and management account in same policy?

jbehling
New Contributor

Posted on ‎01-20-2014 10:58 AM

Hi,

Is there anyway we can enabled FV2 for the "current or next user" as well as the management account in one policy? I tried this with a combination of the Management User tab and disk encryption setup but it seems like the management user tries to be added first and fails out.

I also tried with two separate policies , however it seems like a reboot is needed between the two policies (or that's what I need when I try to achieve this with fdesetup alone).

I get the feeling that it is possible to do more than one user at once with fdesetup, but is it possible to do it via the tools in Casper?

Best,
-John

0 Kudos
2 REPLIES 2

rtrouton
Release Candidate Programs Tester

Posted on ‎01-21-2014 05:10 AM

With Casper's policies, you have the following options:

  1. Current or next user - This uses fdesetup's -defer option, which enables one single user account at the time of turning on FileVault 2 encryption. The –defer option does not enable multiple user accounts and cannot be used to enable accounts once FileVault 2 encryption has been turned on.

The -defer option is the only way that you can set up a user account to be enabled for FileVault 2 without knowing the user's password in advance.

  1. Management account - This uses fdesetup to enable the management account.

It is possible to add more than one user with fdesetup, but you would have to know in advance the password of the account that you want to add. If you don't know the password of an account, you need to use the -defer option and that only works in the circumstances specified above.

0 Kudos

JPDyson
Valued Contributor

Posted on ‎01-21-2014 06:59 AM

The short answer is that it doesn't seem possible to have Casper escrow the Individual key AND enable two users at once. If you don't care about individual keys, then I might look into using fdesetup with a manifest; perhaps it's possible to defer so that the logged-in user will be enabled, and yet also specify additional users.

Helpful reference: http://derflounder.wordpress.com/2013/10/22/managing-mavericks-filevault-2-with-fdesetup/

0 Kudos