- Jamf Nation Community
- Products
- Jamf Pro
- Who can unlock a FileVault Encrypted Drive
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-19-2014 01:44 PM
Excuse my ignorance…
I have a pilot group for FileVault on some Mavericks MacBooks. I have a couple of questions.
I apparently mistakenly understood that only pre-ordained users could unlock a FileVault encrypted drive. In testing, I find that even a non-admin account holders can access the drive. Is this expected? Have I done something wrong?
It looks like any admin can turn FileVault off on a system. I pushed this out as a configuration profile. How can I prevent my users from disabling it?
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-19-2014 02:01 PM
Filevault will allow:
Anyone setup as a defined user to login (admin or not)
Anyone with the Personal Key
Upon boot, it does show who can unlock the machine by name. If x isn't on that list x isn't unlocking that machine.
A end user, if they're savvy enough can disable filevault diskutil, but typically disabling access through a config profile to security & privacy(i'd also disable access to profiles) will lock the average user out from disabling FileVault.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-19-2014 02:01 PM
Filevault will allow:
Anyone setup as a defined user to login (admin or not)
Anyone with the Personal Key
Upon boot, it does show who can unlock the machine by name. If x isn't on that list x isn't unlocking that machine.
A end user, if they're savvy enough can disable filevault diskutil, but typically disabling access through a config profile to security & privacy(i'd also disable access to profiles) will lock the average user out from disabling FileVault.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-19-2014 05:06 PM
Boot from the Recovery Partition or an external drive and you can unlock it with an Admin password through Disk Utility.
You can also change admin password thru the terminal when booted from the recovery partition. So this could be a security risk.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-20-2014 05:08 AM
@rderewianko][/url
Thank you.
RE: "A end user, if they're savvy enough can disable filevault diskutil, but typically disabling access through a config profile to security & privacy(i'd also disable access to profiles) will lock the average user out from disabling FileVault."
If I create a configuration profile that locks users out of "Profiles", they also get locked out of several other Preference Panes that we install, such as Symantec and Flash. I can enable everything that ships in the OS, plus MySQL and Java, but I see no way to selectively prevent Profiles, while allowing Pref Panes that may not be in the list.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-20-2014 05:43 AM
In order to unlock or decrypt a FileVault 2-encrypted disk, you need one of the following:
- A password for a FileVault 2-enabled account
- A Personal Recovery Key
- An Institutional Recovery Key
When the machine is booted, Apple blocks standard users from decrypting the encrypted boot drive:
Because you run as the root user when booted from the Recovery HD partition, that block will not apply.
If you want to block folks from disabling FileVault via System Preferences, Greg Neagle has created a profile that disables the Turn off FileVault button in System Preferences' FileVault preference pane.
http://managingosx.wordpress.com/2014/05/21/preventing-users-from-disabling-filevault-2/
That said, ultimately FileVault 2's focus on keeping unauthorized users out, not on keeping authorized users in. If someone who can log in to a FileVault 2 encrypted machine is determined to be decrypted and if they have access to Google along with admin rights and/or the ability to boot to Recovery HD, they will figure out a way to decrypt their machine.
My advice for this situation is:
- Set up monitoring for un-encrypted machines
- Set up a procedure for reporting un-encrypted machines to the appropriate management
- Make the consequences of decrypting be their problem (via HR policy) rather than your problem.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-20-2014 05:55 AM
Kevin wrote:
If I create a configuration profile that locks users out of "Profiles", they also get locked out of several other Preference Panes that we install, such as Symantec and Flash. I can enable everything that ships in the OS, plus MySQL and Java, but I see no way to selectively prevent Profiles, while allowing Pref Panes that may not be in the list.
This can be resolved by following the instructions here: https://jamfnation.jamfsoftware.com/article.html?id=204
I had to do this for a Wacom pref pane. Works as expected.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-31-2014 11:36 PM
I suspect you are asking how to prevent user to unlock their filvevault2.
You can use configuration profile->restriction->Restrict items in System Preferences, choose security and privacy.
