Secure Token is Disabled for a User

Secure Token Disabled for a User

IT admins are grappling with how to manage Mac users and systems after all the changes to macOS® High Sierra. One specific example of a change made to macOS High Sierra is that Secure Token is disabled for a user. This problem affects the usage of FileVault® because without a Secure Token, users are unable to manage a FileVault volume. Essentially, this means users can not enable, disable, or decrypt the FileVault volume.

Unintended Consequences of Secure Token and FileVault® for IT

Unintended Consequences of Secure Token and FileVault for IT

Apple® created this issue seemingly from a place of benevolence. Apple intended to both increase the security of FileVault while reducing the number of steps needed to enable full-disk encryption for users. This resulted in fundamental changes with regard to how user management works within macOS. With the release of High Sierra, Apple introduced a system that requires users to have a Secure Token in order to use FileVault. This Secure Token was granted to the first user created on the Mac system. Additional users would be granted a Secure Token only if their user account was created locally by the first user. This essentially creates a chain-of-trust that ensures only additional users approved of by the first user are given access to the FileVault volume (essentially data) on a given macOS High Sierra system.

How Can a Chain-of-Trust Create Animosity?

How can a chain-of-trust create animosity

The problem admins will come to discover is that identity management systems create users remotely, not locally, which has effectively broken any instances managing Mac systems with FileVault enabled via Microsoft® Active Directory® (MAD or AD). This is just another instance in a long line of instances where Active Directory has struggled to manage Mac users and their systems. IT admins are now the ones in the crosshairs, because they are no longer able to create users by utilizing APIs or network-based tools . Instead, they’re forced to go host-by-host in order to properly manage Mac users. This, of course, is far from an ideal solution, especially as we consider that the usage of Macs within the enterprise is rising.


That’s (Read more...)

*** This is a Security Bloggers Network syndicated blog from Blog – JumpCloud authored by Ryan Squires. Read the original post at: