Juniper host check for File Vault 2 encryption

The problem is that with the right knowledge, it's really easy to spoof the Juniper host checker since it can really only check for certain files or processes (unless things have changed, we switched to a new VPN client this last year).

I'm not sure what your tolerances are, but you could have a system login script that confirms FV encryption and then creates or destroys a certain file with a certain hash that can be checked by Juniper. Again, that is still spoofable if someone can reverse-engineer it (relying on obscurity) and not real-time, but it may satisfy your security folks.

Unless you can have the host checker run a script, I can't think of anything else.

Yeah, we've had to ask the same questions with our NAC host validation processes. If the appliance or application can't run a script, its not easy to check on something like FV2 enablement. It needs to be able to run something like sudo fdesetup isactive, or similar, and check its exit status. There is no real "file" to look for when FileVault is active, and even if there was, as mentioned, it could be pretty easily spoofed.

We use Juniper as well, and I also had to come up with a solution for this. Host Checker is easily fooled if you know what it's checking for, regardless of which platform it is running on. What I did was create a script that is coupled with my FileVault Self-Service policy. The script simply creates a file (using the "touch" command") and Host Checker verifies the existence of that file to determine a client's validity.

Hope this helps!

We tag our Macs (touch command, predetermined file, as above) via Casper policy once a day. If the Mac is encrypted, it gets the tag. If it's not, and the tag is present, it is removed.

If these guys want to get serious about posture-checking Macs, they'll learn to run shell commands as a part of the process.