Help

Management account for access any time.

Go to solution
aalberty
New Contributor III

Posted on ‎03-27-2018 01:33 PM

We currently have JSS set up so that a local admin account is made on all machines at enrollment. We also have a log in configuration profile set to Username and Password text fields, and have fast switching disabled (unclear to me if this is causing the issue or not). We have FV2 encryption enabled on all machines as well. Unfortunately, it came to my attention today that if a user does anything OTHER than logging out via the Apple menu, then when you try to unlock the machine, you are not able to try logging in as a different user (aka the management account that I want to be able to access their machine with). Any thoughts on how to get around this?

My knee jerk is to try using a policy to force a log out when a user shuts off their machine, but I'm not sure this would work when you just hold the power button to turn off the machine. Another thought would be adding the local admin that management uses as a FV2 enabled user? I've been doing some digging on this, but shy of manually going to each Apple machine and logging in on the management account to trigger FV2, I'm not sure how to achieve this.

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
mm2270
Legendary Contributor III

Posted on ‎03-27-2018 01:47 PM

I may not be clearly understanding things, but, the way FileVault 2 works is that only an enabled FV2 account (local account on the Mac that's been added to the authorized list) will show up as an account to "unlock" the Mac at boot time and continue the log in. I wasn't sure if that's what you're referring to when you say "when you try to unlock the machine" above, but if so, that's expected behavior. The only way your local admin account would show up in that initial FV2 login screen would be to add that to the authorized FV2 user list.

Barring that, an authed user would need to first unlock the Mac and then when it gets to their Desktop you can log out using the Apple menu and log into that admin account, just as you mentioned.

View solution in original post

2 REPLIES 2

Go to solution
mm2270
Legendary Contributor III

Posted on ‎03-27-2018 01:47 PM

I may not be clearly understanding things, but, the way FileVault 2 works is that only an enabled FV2 account (local account on the Mac that's been added to the authorized list) will show up as an account to "unlock" the Mac at boot time and continue the log in. I wasn't sure if that's what you're referring to when you say "when you try to unlock the machine" above, but if so, that's expected behavior. The only way your local admin account would show up in that initial FV2 login screen would be to add that to the authorized FV2 user list.

Barring that, an authed user would need to first unlock the Mac and then when it gets to their Desktop you can log out using the Apple menu and log into that admin account, just as you mentioned.

Go to solution
aalberty
New Contributor III

Posted on ‎03-28-2018 05:13 AM

@mm2270 I kind of figured that was the issue after a little more digging last night. I was looking for a way to try to enable the existing admin account as a FV2 user in a more automated way - the only way I currently know of would be the same way that we do the users. Trigger the FV2 prompt on their login and have them run through it, and escrow their key in JSS. Would this mean that I have to go to each machine and log in as the admin account? There has to be a more elegant way to do this. I'll keep digging on my own, but if you could point me in the right direction, I would really appreciate it.

edit: Derp. You can make a policy for it. Thanks for the help!

0 Kudos