As usual, the Der Flounder blog alerts me to new information that may have a significant impact on our environment:
Yosemite’s FileVault 2 pre-boot recovery options
I'm most concerned about the third option ("My keyboard isn't working"), since it allows any FileVault-enabled user to decrypt the drive by supplying their password (side note: how is one supposed to enter their password if their keyboard is not working???). Since the Security and Privacy System Preferences pane is locked, there previously was no way for non-admin users to do this (we also have firmware passwords enabled to prevent them from doing it via the Recovery HD).
Is anyone else concerned about this? If so does anyone have ideas on how to prevent users from being able to do this? The only thing I can think of is removing the Reset Password Wizard app/binary from the Recovery HD, but that seems rather extreme with potentially unwanted side effects.
Thanks!
Eric
