Apple®’s recent change to the process of adding users to High Sierra is dramatically upending the approach and processes for user management. By creating a link between the Secure Token and FileVault®, High Sierra users are given improved security, but at the cost of restricting the ease-of-use of user management systems. And, like with all changes, this has developed some friction for macOS® users, and subsequently, their IT admins. Although, in the end it has its benefits, it certainly seems like robbing Peter to pay Paul. Luckily, there is a viable solution to the problem of enabling FileVault for High Sierra users, but first, let’s explore some of the problems macOS users have with FileVault enabled.
Two Sides to the Secure Token
Traditionally, IT admins have simply added a user through their on-prem identity provider, such as Microsoft® Active Directory® (MAD) or Open Directory (OD). Users would be subsequently created on the Mac® system. If those users needed FileVault, IT admins would need to enable that for the user. It was a fairly straightforward process, but one that certainly needed refinement to improve the overall user/admin experience.
In order to be make the process more seamless and secure, Apple changed it such that only users created locally would inherit the ability to have FileVault enabled. A user created via the command line or as a network user would not have a valid Secure Token attribute, which is required to be granted access to FileVault. While it brings an added layer of security to Mac users, it comes with a sting.
Problems macOS Users have with FileVault Changes
What results is generally a big headache. The change breaks virtually all identity management processes, creating a great deal of manual work for IT admins. Users are flooding support request inboxes and forums to find a way to properly authorize their machines. Organizations that leverage MAD are essentially up the proverbial creek, with no foreseeable “paddle” to automate the process of reintroducing (and subsequently managing) users to the new FileVault format.
A New Solution is on the Horizon
The good news is that there actually is a solution to this problem. The cloud directory service, JumpCloud® Directory-as-a-Service®, is able to automatically handle problems with macOS users with FileVault enabled and without manual intervention. IT admins need to simply add the JumpCloud agent to each of their macOS systems, and then user creation continues as normal. A new user is properly granted a Secure Token, thus enabling them to access their FileVault volume. Users will automatically be granted access to FileVault and the machine upon login.
Seem too good to be true? Well, with JumpCloud’s macOS agent, managing High Sierra users is a breeze. To see how it works for yourself, why not try JumpCloud Directory-as-a-Service today? The first ten users in your enterprise are always free, with options to pay as your user base expands. You can also see Directory-as-a-Service in the hands of an expert by scheduling a demo. And, as always, you can contact our support squad with your questions or concerns, or check out our Knowledge Base.