Managing Macs that have disks encrypted by FileVault 2 can be challenging, and even perilous with the potential for data loss. Directory services must have the capacity to operate as macOS would to navigate the issues that could arise from inadequate integration and support. JumpCloud is engineered with mechanisms for seamless user lifecycle management and automatically, and completely, tackles the complexity of handling Apple’s encryption scheme. Other solutions, such as the Active Directory Connect and Kerberos Single Sign-on (SSO) extensions, can create risks for IT operations such as onboarding, offboarding, and compliance (e.g., GDPR).
What Are Secure Tokens and Why Should I Care?
The root cause for risk is that FileVault’s architecture wasn’t designed with LDAP directories and small and medium-sized enterprise (SMS) IT departments in mind. Apple’s solution to many users accessing a volume that’s encrypted by FileVault 2 involves a process that uses Secure Tokens, a password-protected key encryption key (KEK) feature that works great on a single end-user’s device, but can swiftly become problematic for IT admins that are managing users from a directory and tokens are missing.
FileVault uses a symmetric encryption key when drives are encrypted; passwords relate to keys and unblock volumes when the OS boots. SecureTokens become useful when multiple users share a device and have different passwords. Each user has a “keybag” that encrypts a key with their passwords, so that every user can unlock a volume that has full disk encryption.
Directories, Secure Tokens, and Keybags
This process works smoothly when users are managed on the device through macOS, but problems can arise when operations (such as creating a user or changing a password) occur externally within a directory service. Here are a few examples of where things gets tenuous when operations occur outside of the OS and FileVault’s architecture isn’t supported:
- Users that have passwords changed externally without re-creating a key, locally, will be locked out of keybags (making decryption impossible).
- Actions such as deleting users who have tokens or creating new users without tokens invites data loss and noncompliance (or support calls, if you’re lucky).
Apple has system tools that run checks to avoid these scenarios, but an external directory that’s not built for Apple could potentially wreak havoc when it fails to interoperate with macOS.
JumpCloud’s Client and MDM Work with macOS
Fortunately, JumpCloud’s macOS agent has mechanisms that replicate what the OS does. The agent works hand in hand with mobile device management (MDM) to manage the user device lifecycle and control the potential risks of mishandling FileVault. JumpCloud is an official Apple MDM provider and uses that framework to deliver configuration and security payloads to devices without user intervention. MDM is an extension of the multi-OS JumpCloud cloud directory, which provides secure access to resources, no matter where they’re located.
It should be noted that Active Directory (AD) cannot accomplish this. The doomsday scenarios outlined above can and will happen. The AD sync tool for Apple is essentially abandonware, because it fails to meet these requirements. The more recent Kerberos kernel extension for Microsoft’s directory services will keep passwords for cloud services in sync, but it cannot keep user passwords in sync for local devices nor can it operate at the macOS login window.
In comparison, JumpCloud also supports single sign-on (SSO) with a library of pre-built connectors and SCIM support to automate user provisioning; it has connectivity covered on Mac devices and beyond.
The JumpCloud platform connects you securely, to more resources, and is free for 10 devices and 10 users with complimentary premium chat support. Support is available 24×7/365 within the first 10 days of your account’s creation. MDM is fully integrated within the JumpCloud console and our directory agent can coexist with Active Directory.