When Apple® introduced FileVault® years ago, IT admins were thrilled. When it comes to security mechanisms, a way to automatically encrypt a drive is a powerful tool. Over the years, Apple has continued to evolve their functionality, and most recently have made big changes with macOS® High Sierra. By combining Secure Token and FileVault, they have almost completely revamped how disk encryption and user management work.
The Result of Combining Secure Token and FileVault
This combination now forces every user to have a valid Secure Token in order to be able to interact with FileVault. At first pass, that doesn’t seem too bad. Fundamentally, the idea is that a user created on the system should have been created properly and by design. So in other words, Apple was driving the process towards creating users locally on the machine rather than through methods that IT management tools have leveraged in the past.
The problem is that Apple broke the path for IT management tools (i.e. identity providers/directory services) to create users, and instead forces those users to be created locally on each machine. This has the potential to be an administrative nightmare. Users created via the command line or network users do not have a Secure Token, and therefore aren’t valid users in the eyes of macOS High Sierra. The result is that these users cannot properly interact with FileVault, which serves up quite the plateful of problems for IT admins.
For IT admins that leverage Microsoft® Active Directory® (MAD or AD) or other similar directory services, the ability to create and manage macOS users with FileVault enabled has been broken. That means that IT admins will need to manually go host-by-host, resolving user management issues and giving the user a valid Secure Token. Of course, that’s not a viable method for macOS user or system management for organizations with Mac fleets of considerable size.
An Automated Solution
*** This is a Security Bloggers Network syndicated blog from Blog – JumpCloud authored by Zach DeMeyer. Read the original post at: https://jumpcloud.com/blog/secure-token-filevault/