- Jamf Nation Community
- Products
- Jamf Pro
- FileVault2 - Does sync command work with AD?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-10-2013 03:26 PM
Does the fdesetup sync command also work with AD? The documentation only refers to OD which we're phasing out.
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-11-2013 07:59 AM
fdesetup sync should work with any directory service. One way to verify this should be to add a test account to AD, then add the account to a FileVault 2-encrypted Mac. Once you've verified that the AD account shows up at the FileVault 2 pre-boot login screen, remove the AD account from your AD domain and run fdesetup sync on your test Mac.
Once fdesetup sync has been run, reboot the Mac and see if the test AD account is showing up at the pre-boot login screen. It shouldn't show up, as fdesetup sync should have checked with AD and seen that the account was no longer listed as an account.
Note: The AD account needs to be actually removed from the AD domain. Disabling it will not trigger fdesetup sync to remove it from the pre-boot login screen.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-11-2013 07:47 AM
GREAT question. That's something worth testing (since there's not any output when I run it, and the verbose flag doesn't apply).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-11-2013 07:59 AM
fdesetup sync should work with any directory service. One way to verify this should be to add a test account to AD, then add the account to a FileVault 2-encrypted Mac. Once you've verified that the AD account shows up at the FileVault 2 pre-boot login screen, remove the AD account from your AD domain and run fdesetup sync on your test Mac.
Once fdesetup sync has been run, reboot the Mac and see if the test AD account is showing up at the pre-boot login screen. It shouldn't show up, as fdesetup sync should have checked with AD and seen that the account was no longer listed as an account.
Note: The AD account needs to be actually removed from the AD domain. Disabling it will not trigger fdesetup sync to remove it from the pre-boot login screen.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-11-2013 08:45 AM
That's good to know, but I wonder, will the fdesetup sync process, once run, prevent someone with a disabled AD account from logging in at the FV2 screen, or will it still allow unlock of the Mac and just stop them at a username/password style login screen? I'm guessing some of the process may depend on whether the Mac is in range of the DCs when the login occurs. Curious to know more about how that works as these same questions may come up for us now that we're using FV2 for FDE.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-11-2013 09:44 AM
fdesetup sync won't do anything with regards to disabled accounts. That said, if the account is disabled and the Mac's OS has a chance to communicate with AD, here's what happens:
- Mac boots
- You can log in with the disabled account at the FileVault 2 pre-boot login screen
- You get stopped at the regular login window.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-11-2013 10:05 AM
Thanks for confirming that Rich. That's kind of what I was thinking would happen, but we hadn't tested this out. Of course this does require the Mac to be communicating with AD as you stated, so Macs off the network won't initially get blocked from login. Eventually it will once they've been out of communication for too long though.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-11-2013 02:31 PM
Well it can't hurt to implement it as a policy scoped only to FV2 enabled macs. Thanks Rich!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-12-2013 09:15 AM
You can also do a targeted remove with fdesetup, so in the actual event of a terminated employee, as long as it's online somewhere and you can ssh in, you can kick the user out.
