Local Admin Account + FileVault 2 Predicament

sim_brar
New Contributor III

Hi all,

It seems that a number of threads regarding this have already been posted, but they are from a few years ago. Any advice and/or suggestions would be greatly appreciated.

We have a LAPS solution implemented on all of our laptops (https://github.com/NU-ITS/LAPSforMac). Though a set of Jamf policies, this solution creates a local admin account on each device, rotates the password every X days, with each rotation updating the local admin account's password extension attribute.

Unfortunately, this local admin account is pretty much useless if it is not enabled for FileVault on the device, as it is unable to access the encrypted disk.

I am wondering if the following may work:

A policy that runs a script using the fdesetup command on each device on which the local admin account is not enabled for FileVault. This script would prompt the end user for his/her FileVault enabled account’s credentials, make an API call to our Jamf Cloud instance to obtain the device’s local admin account password, and ultimately enable the local admin account for FileVault based on the following scheme:

# Enable the local admin account for FileVault:
sudo fdesetup add -usertoadd LOCAL_ADMIN_ACCOUNT

# End user enters his/her credentials when prompted:
Enter the user name: LOCAL_USER
Enter the password for user 'LOCAL_USER':

# Then, an API call would be made to our Jamf Cloud instance to obtain the admin account's password (an extension attribute):
Enter the password for the added user 'LOCAL_ADMIN_ACCOUNT':

Does this have the potential to work?

1 REPLY 1

nvandam
Contributor II

Depending on how often you are needing to login as admin from a cold boot, you could always just use the recovery key to get past FV2 and then login as the admin account at the login screen. That's what we do. We don't often login as the local admin though. Most of the time when we work on a user's computer the user is there and can get us past FV2.