With the introduction of macOS® High Sierra, Apple® has broken the process for IT organizations managing macOS users with FileVault® enabled. This problem is challenging on a number of levels, but the most significant issue is that it renders traditional directory services and identity management solutions useless, while also requiring manual intervention.
Broken Process for Managing macOS Users with FileVault
Before we dig into a solution for managing macOS users with FileVault enabled, let’s step back and understand the problem. A few years ago, Apple created a disk encryption solution called FileVault. With device theft and privacy laws on the rise, it was certainly a welcomed innovation.
The process to enable and disable FileVault was handled manually or through APIs, but it required a separate step outside of the process for adding a new user to a Mac® device. Apple has been working towards making the process of enabling and disabling FileVault easier, as well as increasing its security. These ease-of-use upgrades have culminated in their most recent macOS release, High Sierra, where users are automatically added to FileVault if it is enabled on the device. While this helped eliminate a step, Apple’s process for enabling this has completely broken the process of remotely creating and managing users on macOS machines.
IT admins leveraging directory services solutions, such as Microsoft® Active Directory® (MAD), no longer can automatically and remotely create a user on a Mac device that has FileVault enabled, and then have that user successfully added to FileVault. For directory services solutions, the underlying problem is that every user created must have a Secure Token, and that token can only be delivered through a locally created user. The result is that IT admins must locally create users rather than leveraging their traditional IT management tools to manage users on macOS systems.
Seamless Solution with Remote Automation
Obviously, manual management over a fleet of Macs is simply not scalable. JumpCloud’s Directory-as-a-Service® platform has solved this problem, however, as it can remotely create and manage macOS users that have FileVault enabled. Furthermore, this solution (Read more...)
*** This is a Security Bloggers Network syndicated blog from Blog – JumpCloud authored by George Lattimore. Read the original post at: https://jumpcloud.com/blog/mac-management/managing-macos-users-with-filevault/