If someone were to loose their Mac, and we issue the lock command. We know that device would be locked down and inaccessible.
The question is if someone were to physically remove the SSD from the locked machine and installed it into another machine. Would the EFI still be applied? Would the OS load?
Wondering if any has come across this before. Is there a way to programatically force the user to log in using a FileVault recovery key if they removed the SSD and installed it into a new machine rather than just being prompted for the FileVault password first?
The idea that all an "attacker" would need to do is phish the local account password from the user prior to stealing the machine, remove the SSD, install it into a new machine and they can access all the data doesn't seem too secure to me.
The question is if someone were to physically remove the SSD from the locked machine and installed it into another machine. Would the EFI still be applied? No Would the OS load? Yes it would boot to the OS or filevault if enabled
Newer machines, also have that memory soldered on to the board, which doesn't make it impossible to boot from but a bit harder.
They also include a T2 chip, which interacts with the encryption - https://support.apple.com/en-us/HT208344
Data on the built-in, solid-state drive (SSD) is encrypted using a hardware-accelerated AES engine built into the Apple T2 chip. This encryption is performed with 256-bit keys tied to a unique identifier within the chip.
Duo has a great writeup of that encryption here.
That being said, we wipe lost machines, and then have DEP have a workflow to auto enroll with no login just for those machines, with info in the banners saying "THIS MACHINE IS LOST - Phone Number (in the number field)"