By George Lattimore Posted June 26, 2018
With the recent release of macOS High Sierra, Apple® made some especially significant changes to how users with FileVault® are managed. In fact, if an IT organization is managing their macOS systems and users properly, this change has most likely broken their ability to manage the users and systems remotely. The good news is that JumpCloud® has created a solution to the FileVault user management problem by automating Secure Token application for macOS users.
FileVault Issue Disables Remote Managing Ability
You’re probably aware of the dramatic changes Apple has been making to macOS over the last few releases. These changes have moved the platform closer to iOS, which is creating significant challenges for IT organizations looking to manage macOS systems andusers. Specifically, Apple has been changing the process for how users are managed, where they are managed from, how policies to manage the system are deployed, and most importantly, who can enable FileVault and how.
This last change, in particular, has created a torrent of issues for IT admins who have been managing their macOS systems through IT management tools such as identity providers. The reality is that these changes have forced IT admins to manually interact with each host to ensure that each user’s Secure Token attribute is valid. Without a valid Secure Token attribute, a user is unable to interact with FileVault. Furthermore, users are only granted a Secure Token if they are the first user created on the system, or if the user was created by the first user. This ensures—from Apple’s perspective—that a ‘chain-of-trust’ has been maintained and the newly created user is indeed valid and should have rights to access the disk drive.
The underlying challenge with this approach is that IT management tools, such as Microsoft® Active Directory®, are not able to create a new user remotely with a valid Secure Token attribute. As a result, IT admins need to manually grant that newly created user a valid token. Clearly, this isn’t a process that will scale, nor will it work efficiently for IT admins.
Solution? Automated Secure Token Application for macOS Users
JumpCloud’s Directory-as-a-Service® platform addresses this challenge by automating the process of granting a valid Secure Token for each new macOS user created remotely. In order to make this automation possible, JumpCloud reengineered their macOS agent to solve for these challenges specifically. IT admins are now able to remotely manage user access for accounts where FileVault is enabled.
For more technical details on how JumpCloud solves the macOS problem of automated Secure Token application for macOS users with FileVault enabled, please check out our engineering blog and Knowledge Base articles. Further, if you would like to speak with a technical support engineer, drop us a note. You can always give our platform a try, with 10 users free forever, and see if our automation of this challenging FileVault issue does the trick for you.