High Sierra and FileVault® Compatibility Issues

High Sierra could not turn on FileVault

Many IT admins have been faced with a barrage of issues with managing Mac® users and systems as they have been upgrading their macOS® systems to High Sierra. One such issue is that High Sierra makes it difficult to turn on FileVault®, a disk encryption feature that is built into macOS, for a user. This error is the result of a new feature that Apple® has implemented called Secure Token.

While this issue is certainly a nuisance, luckily there is a solution that can help enable FileVault across a fleet of Mac systems. But, before we dive into the solution, we should first explore what the problem is. Let’s take a look at how Apple is thinking about full disk encryption and user management.

Taking a Step Back

FileVault errors

Historically, Apple has allowed IT admins to remotely create, modify, and delete users as well as implement FileVault on compatible volumes (macOS’ FDE feature). FileVault is essentially Apple’s way of encrypting the data on macOS and Mac hardware. With FileVault, user drives are automatically encrypted upon creation, making local files more secure in an instant. It seems as though Apple has determined that the process for setting up FileVault was not secure or easy enough though, so they made some changes in the High Sierra update of macOS. Those changes have been substantial, and while they may have addressed some issues, they created many others.

The Problem Between High Sierra and FileVault

With macOS High Sierra, new users are required to have a Secure Token, which can only be passed to them from the initial user on the platform. The Secure Token, however, cannot be assigned to users created via conventional, remote command line methods. These users must then be created locally. It essentially “breaks” traditional API-driven Mac identity management solutions, such as Microsoft®Active Directory® (MAD or AD). Remote API calls or network users aren’t granted a Secure Token, effectively giving the message that High Sierra could not turn on FileVault for the user.

remote employee management

For IT admins, this is real headache. As if (Read more...)

*** This is a Security Bloggers Network syndicated blog from Blog – JumpCloud authored by Katelyn McWilliams. Read the original post at: https://jumpcloud.com/blog/mac-management/high-sierra-and-filevault-compatibility-issues/