Jamf Nation Community

Unfortunately, neither of those scenarios will work well for me. I use the term lab environment loosely as they aren't in a classroom, but they are setup as if they were. They are in open spaces where anyone can plop down and login, and they are rarely supervised. It a hard balance trying to keep them locked down so they remain identical while trying to keep the feel as natural as possible so people can "just sit down and get to work". (I'm in a University Library, BTW).

My problem with laptops is that they are only checked out for up to a day. The staff performing the checkouts are non-technical and are about as hands-off as could be. I'm hoping to come up with a solution that wouldn't require any workflow changes for the staff.

Because it's a checkout program, do you "refresh" or reimage the machine between use? I can't even begin to imagine the data privacy issues that you could run into without that process.

If I'm not mistaken, how it should work in theory, if you have AD accounts, if you login as one AD account and enable that in FV2, any subsequent AD login should auto add to the FV2 users login screen.

Enabling FDE will lock down the data, but it doesn't prevent someone from re-using the computer unless you lock down boot options as well (and assuming they don't take the HD out).

No, they are not wiped in between use. The users do not get admin access, they don't leave the building, and it is common knowledge that a restart wipes user data on the laptops. (See my post in https://jamfnation.jamfsoftware.com/discussion.html?id=5042).

Either way, I'm beginning to think that this just isn't going to be possible in this type of environment. I don't want to create extra work for the staff (read not "my" staff) and I don't want to cause my users any extra stress or confusion by not being able to boot these devices.

Ah I see. Hm.

I don't know how it is in WV, but in MA, the penalties for losing an unencrypted device with personally identifiable information is very high. And if these are being used by anyone with medical record access, HIPAA applies and those penalties are pretty stiff as well. Wiping home folders doesn't cover the penalties with those regulations unless it's a secure wipe.

Actually I can't think of any encryption product that actively uses LDAP to decrypt a drive, it's all based on cached credentials. That would be pretty cool though, if you could make the initial boot partition bind to LDAP, and then have that decrypt drives. I smell a $$ making opportunity here.

@hkim,

Unfortunately, it looks like Apple has turned off the ability to automatically enable AD accounts (automatically enabling local accounts still works.) I had filed a bug report on this and included Apple's bug closing notes at Open Radar:

http://www.openradar.me/radar?id=3002407

@Rich, thanks for that info. Wow, that sucks and is really lame on Apple's part. I think enterprise admins all understand the inherent risk of a user's password changing outside of being done in the OS, like in AD, etc. Its been this way for a long time now, so b/c of that, Apple doesn't want to be bothered? And I thought they were starting to come around to the enterprise a little. Guess not. :/

@Rich, Thank you for posting that. That response is a real kick in the pants since that seems to be exactly what I'm looking for.