Many IT admins have been faced with a barrage of issues with managing Mac® users and systems as they have been upgrading their macOS® systems to High Sierra. One such issue is that High Sierra makes it difficult to turn on FileVault®, a disk encryption feature that is built into macOS, for a user. This error is the result of a new feature that Apple® has implemented called Secure Token.
While this issue is certainly a nuisance, luckily there is a solution that can help enable FileVault across a fleet of Mac systems. But, before we dive into the solution, we should first explore what the problem is. Let’s take a look at how Apple is thinking about full disk encryption and user management.
Taking a Step Back
Historically, Apple has allowed IT admins to remotely create, modify, and delete users as well as implement FileVault on compatible volumes (macOS’ FDE feature). FileVault is essentially Apple’s way of encrypting the data on macOS and Mac hardware. With FileVault, user drives are automatically encrypted upon creation, making local files more secure in an instant. It seems as though Apple has determined that the process for setting up FileVault was not secure or easy enough though, so they made some changes in the High Sierra update of macOS. Those changes have been substantial, and while they may have addressed some issues, they created many others.
The Problem Between High Sierra and FileVault
With macOS High Sierra, new users are required to have a Secure Token, which can only be passed to them from the initial user on the platform. The Secure Token, however, cannot be assigned to users created via conventional, remote command line methods. These users must then be created locally. It essentially “breaks” traditional API-driven Mac identity management solutions, such as Microsoft® Active Directory® (MAD or AD). Remote API calls or network users aren’t granted a Secure Token, effectively giving the message that High Sierra could not turn on FileVault for the user.
For IT admins, this is real headache. As if IT admins didn’t already have enough trouble trying to manage Mac users with Active Directory, now they’re forced to go host-by-host in order to properly manage their Mac users. This is far from an ideal solution, considering the rapid rise of Mac users within the enterprise. While it is possible for admins to individually manage each Mac in their fleet, it is far from an efficient use of labor and resources. If only there were a way around this issue.
Mac Management Made Easy with JumpCloud®
The good news is that JumpCloud Directory-as-a-Service® solves this issue. By implementing JumpCloud’s cloud-based directory, IT admins can create, manage, and delete users with FileVault enabled from a remote console. Directory-as-a-Service solves significant management and efficiency issues for Mac admins. JumpCloud has updated its Mac agent, eliminating the authentication errors between High Sierra and FileVault. This is done by creating new users properly according to Apple’s new standards to ensure security. This agent acts as the link between Secure Token and FileVault, creating users as well as providing them with a valid Secure Token.
If you’re ready to make the lives of your IT admins easier and resolve the compatibility issues between High Sierra and FileVault, you can sign up here! By signing up for Directory-as-a-Service, you can leverage the SaaS solution for up to ten users for free, forever. From there, you can evaluate if you’re ready to implement across your entire organization. If you have any questions about JumpCloud’s Mac management capabilities, go ahead and drop us a line, our team of technical experts would be happy to clear up any of your questions. If you’re curious about JumpCloud, looking for tutorials, or just want some best practice tips—visit our Youtube channel.