Apple®’s recent change to the process of adding users to High Sierra is dramatically upending the approach and processes for user management. By creating a link between the Secure Token and FileVault®, High Sierra users are given improved security, but at the cost of restricting the ease-of-use of user management systems. And, like with all changes, this has developed some friction for macOS® users, and subsequently, their IT admins. Although, in the end it has its benefits, it certainly seems like robbing Peter to pay Paul. Luckily, there is a viable solution to the problem of enabling FileVault for High Sierra users, but first, let’s explore some of the problems macOS users have with FileVault enabled.
Two Sides to the Secure Token
Traditionally, IT admins have simply added a user through their on-prem identity provider, such as Microsoft® Active Directory® (MAD) or Open Directory (OD). Users would be subsequently created on the Mac® system. If those users needed FileVault, IT admins would need to enable that for the user. It was a fairly straightforward process, but one that certainly needed refinement to improve the overall user/admin experience.
In order to be make the process more seamless and secure, Apple changed it such that only users created locally would inherit the ability to have FileVault enabled. A user created via the command line or as a network user would not have a valid Secure Token attribute, which is required to be granted access to FileVault. While it brings an added layer of security to Mac users, it comes with a sting.
Problems macOS Users have with FileVault Changes
What results is generally a big headache. The change breaks virtually all identity management processes, creating a great deal of manual work for IT admins. Users are flooding support request inboxes and forums to find a way to properly authorize their machines. Organizations that leverage MAD are essentially up the proverbial creek, with no foreseeable “paddle” to automate the process of reintroducing (and subsequently managing) users to the new FileVault format.
A New Solution is (Read more...)
*** This is a Security Bloggers Network syndicated blog from Blog – JumpCloud authored by Zach DeMeyer. Read the original post at: https://jumpcloud.com/blog/problems-macos-users-filevault/