Users Can't Be 'Silently' Enabled to FileVault Unlock, e.g. as Root
| Originator: | arubdesu | ||
| Number: | rdar://19920316 | Date Originated: | 23-Feb-2015 08:51 AM |
| Status: | Open | Resolved: | |
| Product: | OS X | Product Version: | Mac OS X 10.10.3 (14D72i) |
| Classification: | Security | Reproducible: | Always |
Summary: Currently you must interactively provide credentials of a user (or recovery key) with the right to unlock the disk before another user may be added. We need to enable users in a shared Active Directory environment to unlock the disk without admin interaction. Steps to Reproduce: 1. Prepare 10.9+ image 2. Encrypt w/ FileVault 2 as admin user, bind to AD 3. Have a user log in to a shared Computer (resident doctors on two-week rotation) Expected Results: after verifying admin-set conditions, a loginhook or other mechanism enables shared user to FileVault unlock Actual Results: Admin must be contacted, connect to machine, unlock Security Pref Pane, and add user Regression: 10.8’s fdesetup had this functionality, it was removed in 10.9 Notes: Affected install count: 423 Macs at Montefiore Medical Center, NY, more at affiliated Albert Einstein School of Medicine
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!