Hiding an FileVault 2-enabled admin user with Casper

JAMF_noob
New Contributor

https://derflounder.wordpress.com/2012/02/22/hiding-an-filevault-2-enabled-admin-user-with-casper/

@rtrouton][/url posted this great article on hiding FV2 enabled admin users with Casper. I'm interested in implementing this workflow with our enrollment process. As I understand it FV2 management / issuing new recover keys requires that the JAMF management account be FV2 enabled.

Has anyone used this method to provision an unhidden management account that is FV2 enabled, and then hid it after the fact?

EDIT: Disregard this request. I see that it is not possible to hide accounts from the FV2 pre-boot login.

4 REPLIES 4

rtrouton
Valued Contributor III

Nope.

alexjdale
Valued Contributor III

This is high up on my feature request list with Apple, and I repeat it to my SE every time he asks me for feedback on what Apple can do better. There should absolutely be an option for username/password fields instead of a list of existing users, for security reasons. Knowing the user is half the battle (it's exponentially harder to brute-force both username and password).

A social engineer could use the full name listed on the FV login screen to call in and convince support staff to issue a recovery key.

mm2270
Legendary Contributor II

In total agreement with @alexjdale on this issue. I've been waiting for Apple to address this security flaw as I see it for years now and as far as I can tell there's been little or no progress. There may even be no interest in figuring out how to make it happen, but I don't know that for a fact. All I know is, this issue persists through every version of OS X released.

I do understand that there is a technical hurdle Apple needs to overcome in the EFI layer, or figure out if its possible, but, let's be honest. With all the super smart people at Apple, I have a hard time believing they can't make this happen. I can only conclude this is very low on their list of priorities, but it damages the security and credibility of FileVault in my opinion.

This just puts another check in the "Apple only cares about the consumer. Enterprise who?" column for me.

jason_bracy
Contributor III

I've also been asking our Apple SE for this ever since FV2 was released.