Skip to main content
Question

Hiding an FileVault 2-enabled admin user with Casper

  • February 3, 2015
  • 4 replies
  • 14 views
J
Forum|alt.badge.img+4

https://derflounder.wordpress.com/2012/02/22/hiding-an-filevault-2-enabled-admin-user-with-casper/

@rtrouton][/url posted this great article on hiding FV2 enabled admin users with Casper. I'm interested in implementing this workflow with our enrollment process. As I understand it FV2 management / issuing new recover keys requires that the JAMF management account be FV2 enabled.

Has anyone used this method to provision an unhidden management account that is FV2 enabled, and then hid it after the fact?

EDIT: Disregard this request. I see that it is not possible to hide accounts from the FV2 pre-boot login.

    4 replies

    R
    Forum|alt.badge.img+33
    • rich.trouton
    • Hall of Fame
    • February 3, 2015

    Nope.

    A
    Forum|alt.badge.img+18
    • alexjdale
    • Contributor
    • February 4, 2015

    This is high up on my feature request list with Apple, and I repeat it to my SE every time he asks me for feedback on what Apple can do better. There should absolutely be an option for username/password fields instead of a list of existing users, for security reasons. Knowing the user is half the battle (it's exponentially harder to brute-force both username and password).

    A social engineer could use the full name listed on the FV login screen to call in and convince support staff to issue a recovery key.

    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • February 4, 2015

    In total agreement with @alexjdale on this issue. I've been waiting for Apple to address this security flaw as I see it for years now and as far as I can tell there's been little or no progress. There may even be no interest in figuring out how to make it happen, but I don't know that for a fact. All I know is, this issue persists through every version of OS X released.

    I do understand that there is a technical hurdle Apple needs to overcome in the EFI layer, or figure out if its possible, but, let's be honest. With all the super smart people at Apple, I have a hard time believing they can't make this happen. I can only conclude this is very low on their list of priorities, but it damages the security and credibility of FileVault in my opinion.

    This just puts another check in the "Apple only cares about the consumer. Enterprise who?" column for me.

    J
    Forum|alt.badge.img+8
    • jason_bracy
    • Valued Contributor
    • February 5, 2015

    I've also been asking our Apple SE for this ever since FV2 was released.

    Terms & ConditionsCookie settingsAccessibility statement