Help

Is anyone using a management account for FileVault?

Go to solution
jkanter
New Contributor

Posted on ‎10-24-2013 12:26 PM

We want to push an encryption policy that does both "management Account" and "current or next user" functionality. We want the user to be the only one to decrypt the device, but if they forget their password or something else happens, we want to be able to unlock it. We have an institutional key, but the problem is that most of our users are at home, often in countries with no IT hands, and we don't want to have to give out our Key every time a user forgets their password.

Our thoughts were to create a script configuring FDE through command line that adds a management account along with the user account. Seems needlessly complicated though.

Any suggestions?

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
mm2270
Legendary Contributor III

Posted on ‎10-24-2013 12:36 PM

Why would you not be able to use the individual Mac's Recovery key to help the remote user log in? The advantage of the Recovery Key is that it applies to only that one Mac. I would agree you definitely don't want to give anyone your institutional key - bad idea for sure. But the individual recovery key I'd be much less worried about giving someone. Just instruct them to NOT write it down anywhere.

View solution in original post

0 Kudos
7 REPLIES 7

Go to solution
mm2270
Legendary Contributor III

Posted on ‎10-24-2013 12:36 PM

Why would you not be able to use the individual Mac's Recovery key to help the remote user log in? The advantage of the Recovery Key is that it applies to only that one Mac. I would agree you definitely don't want to give anyone your institutional key - bad idea for sure. But the individual recovery key I'd be much less worried about giving someone. Just instruct them to NOT write it down anywhere.

0 Kudos

Go to solution
jkanter
New Contributor

Posted on ‎10-24-2013 02:14 PM

Thanks mm2270! I was way overthinking it....

0 Kudos

Go to solution
alexjdale
Valued Contributor III

Posted on ‎10-24-2013 02:30 PM

I would also avoid adding any management accounts to FV because they will appear at the login screen. I'm already not happy that the user's name appears there (it could be used for social engineering purposes).

0 Kudos

Go to solution
mm2270
Legendary Contributor III

Posted on ‎10-24-2013 02:40 PM

I would also avoid adding any management accounts to FV because they will appear at the login screen. I'm already not happy that the user's name appears there (it could be used for social engineering purposes).

Completely agree on this one. We've already asked Apple back when Mountain Lion shipped if they could please allow for us to change the FV2 PreBoot screen to Username & Password fields. At first glance it doesn't appear Mavericks has added this capability, which is very disheartening. Apparently Apple doesn't care to change this. My concern, in addition to social engineering, is that half the work in getting into a computer is knowing the username, the other half the password, So Apple has made it so if you use FileVault 2, someone getting at your Mac already knows half your secret. This makes zero sense to me from a security standpoint.

Go to solution
tkimpton
Valued Contributor II

Posted on ‎10-24-2013 02:45 PM

That's why I'm using Sophos SafeGuard until Apple changes it :(

0 Kudos

Go to solution
JPDyson
Valued Contributor

Posted on ‎10-25-2013 08:35 AM

@tkimpton Good luck updating firmware! I kicked Sophos to the curb; FileVault has been superior in every way.

0 Kudos

Go to solution
tkimpton
Valued Contributor II

Posted on ‎10-25-2013 09:12 AM

Yep but I'm 100% security conscious and knowing even the username is a big no no!