Help

Mavericks FileVault 2

dooley_do
New Contributor

Posted on ‎07-11-2014 01:42 AM

Hi,

I am evaluating the product at the moment and have a few questions around this...

  • If a user has enabled filevault previously and only enabled their own user account as a FV2 user can I get Casper to remediate this by either enabling the admin account as a FV2 user or capturing the existing recovery key?
  • If I wish to deploy a local admin account to all Macs for technicians to use how can I ensure that this account is enabled for FV2 on all machines? In the Windows world we don't use local admin accounts at all as the TPM based encryption still allows the system to boot without needing a password. This seems like it might be tricky to manage as the usual procedure is that technicians are in an admin AD group and so can log on as an admin but as we can't pre-enable all of them as FV2 users they wouldn't be able to logon if the system owner wasn't around.
  • Am I asking for trouble and would it be better to decrypt existing encrypted machines and let Casper handle it from start to finish?

Thanks

0 Kudos
Reply
4 REPLIES 4

Olivier
New Contributor II

Posted on ‎07-11-2014 02:10 AM

"can I get Casper to re-mediate this by either enabling the admin account" : in our company, we use a script with a GUI that nags the user for his domain password, then pass temporary the info to a plist file, used as argument for fdesetup binary. This add our administrative account to list of existing FV users (we do not use the built-in Jamf FV feature to add users or stuff like this).

This way, it supports both scenarios : FV enabled by users themselves, and FV enabled by Casper.

Apple removed in 10.9.x the ability for a script running under root, to be able to add/remove list of FV users. So now, you can maintain this list only if you know the recovery key, or the password of one of the users being already in FV user list :-(.

Our IT technicians have access to a home-made web interface (access limited by AD group obviously), where they can generate unique-per-computer passwords for this administrative account, to unlock disks without having user's password, and to avoid to have a generic admin password that may be used on all of our Macs.

Adding technicians directly to list of FV users on each machine, is not feasible.

0 Kudos
Reply

dooley_do
New Contributor

Posted on ‎07-11-2014 02:31 AM

Thanks Olivier, looks like as long as Casper initiates the encryption (which will be the case in 99.9% of scenarios) I can create and update a local admin user which is FV2 enabled via Casper. The difficult bit is going to be managing that local admin password!

0 Kudos
Reply

btaniyama
New Contributor

Posted on ‎07-18-2014 05:05 PM

Any chance you could share that script Olivier? Sounds very similar to what we're trying to do.

0 Kudos
Reply

thuluyang
New Contributor III

Posted on ‎09-01-2014 12:23 AM

I will answer as much I can:
1:It depends, if you have recovery key in JSS, it is possible. Otherwise it is not possible to enable the admin account unless you know the current user password, which is also impossible. You might want to check fdesetup command in Osx. Capturing recovery key is only can be captured once the machine start to encrypt. Not possible to get it afterwards
2: First you need to create a configuration profile which will redirect recovery key automatically to JSS. Then you can use policy to add a local admin user, remember to add it to FV2 and allow it to administrator the computer.
3: If you want to prevent user to unlock FV2,You can use configuration profile->restriction->Restrict items in System Preferences, choose security and privacy. 4:definitely decrypt first is the best solution I know of.
Let me know if you have any more questions.

0 Kudos
Reply