non-admin users able to disable filevault themselves??

justin
New Contributor

so I got a notice today from the JSS saying that a user's machine had filevault disabled. I did not disable it, so i went to investigate.. the user said "oh yeah, this morning i was impatient waiting for my computer to boot, so i shut it off, and then i turned it back on and it gave me 3 options about logging in...so i put in my password and then it restarted and i could log in again!" so i walked through the steps, and what she did was reboot to the recovery partition, where entering her user password decrypted the drive and removed it from filevault and rebooted the machine.

this is the first im seeing this, am i crazy for thinking this is something that apple seriously overlooked or something? I don't want users to be able to completely disable filevault! i don't let them do that through system preferences, why would i want them to through recovery?

3 REPLIES 3

Josh_Smith
Contributor III

Interesting. There are too many things that can be done to the Mac if you don't have an EFI password in place, I certainly see it as a requirement in our environment.

rderewianko
Valued Contributor II

There are many ways a user can disable filevault. Unfortunately from experience the best method is policy, making sure they know filevault must be enabled,

Further implementing something like: https://github.com/loceee/OSXCasperScripts/tree/master/FVHelper can help.

Now to disable access to recovery, putting in a firmware password goes a long way.. When the machines booted, there are three or four different ways. Fdesetup, disk utility, right clicking "decrypt" or going into security & preferences..
a few of those don't require admin access to do so.
- RD

rtrouton
Release Candidate Programs Tester