By Zach DeMeyer Posted June 25, 2018
When Apple® introduced FileVault® years ago, IT admins were thrilled. When it comes to security mechanisms, a way to automatically encrypt a drive is a powerful tool. Over the years, Apple has continued to evolve their functionality, and most recently have made big changes with macOS® High Sierra. By combining Secure Token and FileVault, they have almost completely revamped how disk encryption and user management work.
The Result of Combining Secure Token and FileVault
This combination now forces every user to have a valid Secure Token in order to be able to interact with FileVault. At first pass, that doesn’t seem too bad. Fundamentally, the idea is that a user created on the system should have been created properly and by design. So in other words, Apple was driving the process towards creating users locally on the machine rather than through methods that IT management tools have leveraged in the past.
The problem is that Apple broke the path for IT management tools (i.e. identity providers/directory services) to create users, and instead forces those users to be created locally on each machine. This has the potential to be an administrative nightmare. Users created via the command line or network users do not have a Secure Token, and therefore aren’t valid users in the eyes of macOS High Sierra. The result is that these users cannot properly interact with FileVault, which serves up quite the plateful of problems for IT admins.
For IT admins that leverage Microsoft® Active Directory® (MAD or AD) or other similar directory services, the ability to create and manage macOS users with FileVault enabled has been broken. That means that IT admins will need to manually go host-by-host, resolving user management issues and giving the user a valid Secure Token. Of course, that’s not a viable method for macOS user or system management for organizations with Mac fleets of considerable size.
An Automated Solution
The good news is that there is now an automated solution to solving the Secure Token and FileVault issue for macOS users. JumpCloud®’s Directory-as-a-Service® platform can remotely create new users and ensure that those users have a valid Secure Token.
To be honest, it took a tremendous amount of engineering to figure out the right and secure way to handle this tricky issue that the update to macOS created. That said, JumpCloud’s macOS agent now solves for users created remotely through our identity management platform, and ensuring that FileVault is properly enabled and used by each user. IT admins do not need to manually access every machine when conducting user management on macOS systems and/or enabling FileVault (which incidentally should be enabled on every device for enhanced security). Another significant benefit of this approach is that the user only needs to log in once to their device, and there are additionally less steps overall for admins to grant FileVault access.
So, while applying FileVault to your user base is incredibly valuable, it also can be tricky. Apple’s recent changes to Secure Token and FileVault have perplexed and frustrated IT organizations worldwide. With JumpCloud’s automation of macOS user management and tight integration with FileVault and other macOS system management activities, IT admins can eliminate the pain of managing FileVault with macOS users.
To learn more about Secure Token and FileVault, check out our engineering blog article and our Knowledge Base. You can also contact our support team to ask any questions that might arise. And, of course, if you want to leverage JumpCloud Directory-as-a-Service to assist your organization with the changes brought about by the Secure Token/FileVault combination, try it for free. Your first 10 users are complementary, and can be used forever.