Having a really hard time with FileVault and High Sierra

AVmcclint
Honored Contributor

Our historical setup of new Macs:
1. take the mac out of the box
2. netboot and run Jamf Imaging which block copies a preconfigured hard drive image that already has a local admin account and enrolls in our JSS automatically and creates a hidden management account
3. after first reboot, many apps install as part of the post-imaging process
4. I run a Self Service policy that enables FileVault with an institutional key that enables the management account for FV.

5. Reboot and let the drive encrypt in less than 1 hour.

Yes, I know "imaging is dead" beginning with High Sierra. I took a 2017 MBP out of the box today and decided to try the new long & painful way Apple is forcing us to use. 1. Took mac out of the box and turned it on
2. created the standard local admin account that must be present on the machines
3. manually configured ssh, Remote Management, and all the other things that need to be configured in the admin account.
4. copied a QuickAdd.pkg from our 10.7.1 JSS to the desktop.
5. Ran the QuickAdd.pkg and let it enroll in JSS and install apps and run all the same post-imaging policies
6. Ran the Self Service Policy that enables FileVault. IT FAILED. The error was basically that the management account doesn't have a secure token.
7. I tried changing the Encryption setting to enable the current (local admin) account. That failed with some kind of authentication error.
9. I dug around on the internet until I found the sysadminctl command i needed to run to enable secure token on the management account.
9. ran the Self Service Policy again and it finally seemed to take.
10. Rebooted and just got the standard ID & PW box... not the FileVault account icons to pick from. I logged in as the local admin
11. I was presented with a dialog telling me that filevault is being enabled.
12. I get to the desktop, launch Terminal and run fdesetup status and it says "Encryption in progress: Percent complete = 10"
13. I waited 15 minutes and run fdesetup status again and it is STILL at 10%
14. I went to System Preferences > Security > Filevault and the estimated time is 2 DAYS!!!
15. After another 20 minutes, I rebooted. This time i was presented with the FileVault login with the icons for both the local admin and the management account.
16, fdesetup status only says 15% now, but System Prefs> Security >filevault still says 2 DAYS!

I have to deploy this computer in a few hours. I am not permitted to deploy any computers that are not fully encrypted. Is this the new reality? How is this new reality supposed to make our lives any better? Is there a step I'm missing? Am I doing something wrong? Adding the local admin account to FV is absolute. I am willing to give up on adding the management account, but I can't figure out how to make the FileVault policy apply to the local admin (it DOES have a secure token).

5 REPLIES 5

float0n
Contributor

You said it yourself - imaging is dead. Steps 1-16 can be done via DEP and policies in Jamf with minimal interaction from you. You shouldn't be using a quickadd package anymore. No, it's not as easy as simply plugging a Mac into the network and booting it off netboot, but it's the reality today and when you get a 2018 Mac you'll be facing even more pain.

And yes, encryption on high sierra is incredibly, incredibly, incredibly slow. A standard 2016/2017 touchbar mbp with a 500 GB SSD will take ~6-8 hours. Good news is, in Mojave that same hardware encrypts in about 15 minutes! Mojave has it's own issues, but at least encryption is super fast. Also, for 2018 MBPs or newer with the T2 chip, enabling filevault is instant since the harddrive is already encrypted by default.

AVmcclint
Honored Contributor

Unfortunately we can't go to DEP at this time. And because of our extremely tight security, DEP will NEVER be the total solution Apple wants it to be. We absolutely MUST do things manually that aren't scriptable or available via config profile. So the QuickAdd package is the only way we can set these things up for now.

Is there a way to add the secure token to the management account via a policy that runs before I run the FileVault policy? Everything I've seen requires manual input.

float0n
Contributor

So emphatically disagreeing to change on how you deploy your macs is like someone who sees a wild horde of animals running at them and sticks their head in the sand to try and ignore it. I get it, DEP is definitely not perfect and probably will never be. The problem is that with all the new hardware with T2 chips, you can't netboot/usb boot/anything boot. You'll have to use the OS that comes out of the box or the one provided via Internet Recovery by Apple. If you don't use DEP in that instance, you'll have to go through Setup Assistance manually each time. Or boot to recovery and use current hackyish workarounds like installr. In 3-5 years, every single deployment method you used prior to DEP will likely be completely impossible to do.

Anyways :) The account that logs into the computer first is the account that gets the secure token. Regardless of whether filevault has been enabled or not yet. If you want your management account to get a secure token, it needs to be the first account to login. If you don't want to do that, or can't do that, you can transfer the secure token from the first account that logs in to the management account, but you need to know both that other account and your management account's password.

chris_kemp
Contributor III

DEP shouldn't affect your ability to secure a machine - it actually is a big help should the machine ever be lost or stolen, because it's tied to your organization directly. Even if they wipe & reinstall the machine it will still phone home & enroll in your system.

SecureToken gets installed to the first user by default. If you're going to try imaging then you need to rebuild your image with a SecureToken-enabled user, or you're always going to have to jump through hoops to turn it on.

If your company is that security-conscious, btw, I hope you're using a LAPS-style account for the admin account? Having a global admin account with a singular password is a huge risk in itself - compromise that and your entire fleet gets pwned.

As far as encryption times, it will get better. :) Like previously noted, Mojave is much faster; and the T2 machines are encrypted by default; enabling it is pretty much just turning on the login process for the user - that's why it's "instant".

AVmcclint
Honored Contributor

@float0n I do agree with you. DEP is a freight train that doesn't care what our InfoSec team says. Mr Rock, meet Mr Hard Place.
@chris.kemp I don't understand LAPS much at all, but what I do know tells me that LAPS would never work with FileVault nor with ARD. Yes?

I do have a lot of work ahead of me. I'm just now upgrading our existing Macs to High Sierra and deploying new High Sierra Macs. I'm way behind for reasons beyond my control. I'm very lucky that the 2018 MBPs are shipping with High Sierra and not Mojave.