10-11-2022 12:02 PM - edited 10-11-2022 05:13 PM
TL;DR - You can use the recovery key to grant a token to a non-FileVault user (i.e. account with UID 501). Not sure if this is widely known, but thought I share my findings.
So our workflow is probably similar to a lot of folks. We utilize JAMF to create a local administrator (let's called it macaddy) account with a PreStage enrollment. For 1:1 cases, we create a standard account in the Setup Assistant with a simple password (i.e. abcd). We then let policies roll out and configure the device, including installing NoMAD. Then we would reboot and let FileVault enable. From there, we would get with the user and sync their AD password using NoMAD. And that's it.
Before we started using NoMAD, we were AD-bound, and it was causing headaches with passwords and FV syncing. So that's why we made the switch. We also recently started taking advantage of Prestage (I know we're pretty late) to make deployments more easier. What we didn't realize is when we needed to troubleshoot a MacBook and the user stepped away but rebooted their computer. The macaddy account was not a FileVault user! After reading and reading scripts and documentation, and even communicating with our regional Apple engineers, it seems we needed to have the user's password, and we weren't too comfortable with that.
Recently, after trying different things, I felt that using the recovery key should work, as that's the whole point of it. So I decided to just reset the password to macaddy and reboot the computer. And what do you know? I was able to log into that account and unlock the disk! I did not have to bother resetting the user's password. I rebooted 3 or 4 times, and I could unlock the disk each and every time. Now I know I could have reset the password for the user, logged in and granted them admin, given macaddy a token, remove their admin access, then have them re-sync with NoMAD. But I think this way is much cleaner and less intrusive.
Going forward, we will make sure to logout out of the standard account, log into macaddy, and then reboot to trigger FileVault. Again, excuse my ignorance if this is widely known, but thought I shared my thoughts as I couldn't find the solution anywhere.
Posted on 10-12-2022 06:26 AM
I believe that's the bootstrap token in play happening since you are using Prestage to create the admin user. It's an MDM created user. And you're doing a GUI login, which triggers bootstrap to hand off a secure token to the admin.
Posted on 10-14-2022 04:09 AM
Most likely. However, since I enabled FileVault prior to me logging in with the MDM-created user, it doesn't grant the secure token. So if the user reboots, thinking they are doing me a favor, I wouldn't be able to get in. Since I'm able to replicate this on a T2-chip Mac, the fact that I can see the MDM account at the login screen (along with the standard user), let's me know that using the Recovery key, definitely plays a role. And that's all without me every logging in. If that makes sense.