By George Lattimore Posted July 17, 2018
With the introduction of macOS® High Sierra, Apple® has broken the process for IT organizations managing macOS users with FileVault® enabled. This problem is challenging on a number of levels, but the most significant issue is that it renders traditional directory services and identity management solutions useless, while also requiring manual intervention.
Broken Process for Managing macOS Users with FileVault
Before we dig into a solution for managing macOS users with FileVault enabled, let’s step back and understand the problem. A few years ago, Apple created a disk encryption solution called FileVault. With device theft and privacy laws on the rise, it was certainly a welcomed innovation.
The process to enable and disable FileVault was handled manually or through APIs, but it required a separate step outside of the process for adding a new user to a Mac® device. Apple has been working towards making the process of enabling and disabling FileVault easier, as well as increasing its security. These ease-of-use upgrades have culminated in their most recent macOS release, High Sierra, where users are automatically added to FileVault if it is enabled on the device. While this helped eliminate a step, Apple’s process for enabling this has completely broken the process of remotely creating and managing users on macOS machines.
IT admins leveraging directory services solutions, such as Microsoft® Active Directory® (MAD), no longer can automatically and remotely create a user on a Mac device that has FileVault enabled, and then have that user successfully added to FileVault. For directory services solutions, the underlying problem is that every user created must have a Secure Token, and that token can only be delivered through a locally created user. The result is that IT admins must locally create users rather than leveraging their traditional IT management tools to manage users on macOS systems.
Seamless Solution with Remote Automation
Obviously, manual management over a fleet of Macs is simply not scalable. JumpCloud’s Directory-as-a-Service® platform has solved this problem, however, as it can remotely create and manage macOS users that have FileVault enabled. Furthermore, this solution is seamless for IT admins and end users alike. JumpCloud has reengineered its macOS agent to successfully create users with valid Secure Tokens, thus green-lighting those users to automatically be enabled for FileVault. Users simply login as they normally would, and they are granted access to the FileVault volume and the machine simultaneously.
For IT admins struggling with managing macOS users with FileVault enabled, this automated approach is a massive win. No longer do IT admins have to manually intervene on a host-by-host basis. If you would like to learn more about how to solve your macOS user issues with FileVault, drop us a note. Or, feel free to check out our engineering blog article on the topic or our Knowledge Base article.