FileVault 2 not automatically enabling new AD mobile users

Originator:rtrouton
Number:rdar://13888282 Date Originated:14-May-2013 01:50 PM
Status:Closed Resolved:31-May-2013
Product:OS X Product Version:10.8.3 Build 12D78
Classification:Security Reproducible:Always
 
Summary:

On a 10.8.x FileVault 2-encrypted Mac, logging in and creating an AD mobile user account does not enable the account for use with FileVault 2

Steps to Reproduce:

1. Bind Mac to AD and set the Apple AD plug-in to create mobile accounts

Options selected in the AD plug-in's Advanced section:

Create mobile account at login
Force local home directory on startup disk
Default user shell (set as /bin/bash)

All other options unchecked. 

2. Encrypt Mac with FileVault 2 and enabled a local account
3. Once encryption finishes, log out to the regular login window
4. Log in as an AD user

Expected Results:

1. AD mobile account created
2. AD mobile account automatically enabled for FileVault 2
3. AD mobile account appears at the FileVault 2 pre-boot

Actual Results:

1. AD mobile account created
2. AD mobile account needs to be separately enabled before it appears at the FileVault 2 pre-boot login window.

Regression:

Behavior appears on both OS X 10.8.2 Build 12C60 and 10.8.3 Build 12D78

Notes:

Initial testing done in VMware Fusion 5.0.3 with 10.8.2 and 10.8.3 virtual machines. Results duplicated on Retina 15 inch MacBook Pro

I've verified that standard local users and local users with admin rights created on the machine do get enabled for FileVault 2 automatically.

Comments

Bug was closed by Apple on bugreport.apple.com

This is a follow-up regarding Bug ID# 13888282.

Engineering has determined that this is not to be fixed based on the following information:

FileVault 2 is intended for use of local users to that machine. The password is used to decrypt the key used to unlock the local volume. If an AD user were to change their password on a different machine, they would be unable to use the new password to unlock the disk on the FileVault 2 machine.

If you have questions regarding the resolution of this issue, please update your bug report with them.

We are now closing this bug report.

By rtrouton at June 3, 2013, 1:43 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!