AD accounts should automatically be allowed to unlock FV2 boot drive after initial login
| Originator: | jdybash | ||
| Number: | rdar://22140383 | Date Originated: | 04-Aug-2015 02:22 PM |
| Status: | Open | Resolved: | |
| Product: | OS X | Product Version: | Mac OS X 10.10.5 (14F19a) |
| Classification: | Security | Reproducible: | Always |
Summary: The current FV2 enabling process for AD users requires that admins either interactively enter additional user credentials directly, via pre-populated plist or directly by coordinating setup w/ new user. Valid AD accounts should be automatically allowed to unlock FV2 boot drives after initial login. Steps to Reproduce: 1. Prepare an OS X 10.9+ Mac 2. Bind to Active Directory with mobileaccounts enabled 3. Encrypt Mac w/ FV2 using Institutional and Individual recovery keys 4. Enable FV2 for current or next user 5. AD user A logs into Mac and can unlock FV2 boot disk 6. Ask AD user B to log into Mac 7. Reboot Mac Expected Results: AD user A is able to unlock FV2 boot drive. After first successful login, AD user B is subsequently able to unlock FV2 boot drive. Actual Results: AD user A is able to unlock FV2 boot drive--as are any local accounts created after encrption--but AD user B (or any AD users) must be manually added to allow FV2 list, which requires credential sharing or manual effort. Version: Mac OS X 10.10.5 (14F19a) Notes: Impacted Mac portable count: 1064 Desktops are largely excluded from our FV2 policy, but Mac Minis may require FV2 soon (Mac Mini count: 200).
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!