No more zero touch with Catalina if you use FV

gachowski
Valued Contributor II

I just found this...

"In order to prevent attackers enabling FileVault with a secret key via fdesetup, a possible avenue for a ransomware attack, Apple have introduced a new prompt that requires user approval before FileVault can be used to encrypt the drive programmatically."

From...

https://www.sentinelone.com/blog/7-big-security-surprises-coming-to-macos-10-15-catalina/

And in my testing I am see the prompt twice.. once when fdesetup is set to defer and once when the user enables.

C

22 REPLIES 22

talkingmoose
Honored Contributor II
Honored Contributor II

I haven't reviewed these new security features in Catalina, but the prompt in the screenshot looks very much like PPPC. If that's the case, Jamf Pro will likely include those new security settings in its PPPC Configuration Profile payload for the release or Catalina.

allanp81
Valued Contributor

There's not a lot you can do these days that doesn't involve a user having to say yes. They might as well just remove MDM/enterprise features and just let people do what they want.

allanp81
Valued Contributor

There's not a lot you can do these days that doesn't involve a user having to say yes. They might as well just remove MDM/enterprise features and just let people do what they want.

ThijsX
Valued Contributor
Valued Contributor

Hmm i read here and there that profile based enablement of FV not will be affected, but the FDESETUP through CLI will not accept blank password/username anymore, or in some way like that.

allanp81
Valued Contributor

@txhaflaire I thought that was the case already with Mojave anyway. It's certainly what I've seen if you want to apply a securetoken to a new or existing user via the cmd (if you don't know the user's password).

sdagley
Honored Contributor III

@allanp81 I'm taking the optimistic view like @talkingmoose and expect we'll have a way to approve it via Configuration Profile. If not, there are ways to "encourage" your users to approve the things required to make a Mac meet your compliance requirements with scaling levels of subtlety.

gachowski
Valued Contributor II

In my testing and in what I have read. Using a profile still use fdesetup and there is no workaround. I think our security team and onsite teams would laugh me out of the room if I suggested that deploying machines unencrypted and then "encouraging" users to encrypt later. In fact, we auto wipe our machines if the FV key isn't reported back to Jamf after enrollment.

C

Chris
Valued Contributor

From what I've seen, using a profile does not trigger the prompt.

gachowski
Valued Contributor II

@Chris

What build of Catalina?

C

Chris
Valued Contributor

19A471t, haven't tried the latest one yet

gachowski
Valued Contributor II

@Chris

Strange... I tested on the same build and I am seeing the same with yesterdays build.

C

Chris
Valued Contributor

Maybe you still have an FV deferral active on your testbox that was created by fdesetup before you applied the profile?
Try

sudo fdesetup disable

and re-apply the profile?

dpodgors
Contributor

I pulled the policy that was setting the FV on and I'm only relying on the Config Profile. The problem I have now is, at logout, it requires the user to put in their password before FV is enabled. The user can hit cancel and FV will be off.

So I finally typed my password and now the screen just is blank, which I'm assuming is the FV encrypting the drive. Users will not find this beneffical and force a hard boot.

gachowski
Valued Contributor II

The current beta resolved my issue..

ThijsX
Valued Contributor
Valued Contributor

@gachowski With a profile it works now? please describe :)

scottb
Honored Contributor

@gachowski - I'm in the beta as well...just getting rolling. Are you just using the simple built-in for FV testing here?

gachowski
Valued Contributor II

Yep, I test both the profile and the built-in policy and both worked that said I have been out since the after it was released so I don't have the best memory ... working on a different issue today but hopefully, I can get back to test FV tomorrow.

C

edickson
Contributor

Unfortunately for me, working with non-IT managers, they still want us sitting with the users while going through the DEP process. Kinda defeats the purpose of DEP but clicking through login prompts is easy.

tlarkin
Honored Contributor

tested a clean install of beta 5 today in a VM. Did not prompt for FV2 and it applied like it should for me

devoted_lkrygsm
New Contributor II

@tlarkin , I have a script that I use to fix the Secure Tokens for our IT-Admin type account and it ATTEMPTS to activate FV, but it never succeeded in being zero touch in Catalina OR Mojave--the user would get caught by our configuration profile fall-back where they have to input their password on the first restart.

This, although annoying, worked okay for Mojave, but while the profile fires on Catalina for me, and I put in my password, the drive doesn't actually encrypt, so now none of my methods are working.

Would you mind sharing the script/method you're using to enable FV2 for Catalina (and earlier) via Profile? I would greatly appreciate it!

tlarkin
Honored Contributor

I am just using the config profile to force FV2 to be enabled and enforced at next boot. That is it. Then in my DEP Notify workflow the last thing I do is apply all OS and security patches and force a reboot. User reboots, logs in and is prompted to enable FV2. That is all I am doing.

petestanley
New Contributor III

I'm seeing the same behaviour as @Chris, using a profile prompts users in the same way it always has - Ask for password once.