{"id":58590,"date":"2022-01-28T11:00:00","date_gmt":"2022-01-28T16:00:00","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=58590"},"modified":"2022-11-02T14:43:03","modified_gmt":"2022-11-02T18:43:03","slug":"jumpcloud-circumvents-filevault-2-perils","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/jumpcloud-circumvents-filevault-2-perils","title":{"rendered":"JumpCloud Circumvents FileVault 2 Perils"},"content":{"rendered":"\n

Managing Macs that have disks encrypted by FileVault 2 can be challenging, and even perilous with the potential for data loss. Directory services must have the capacity to operate as macOS would to navigate the issues that could arise from inadequate integration and support. JumpCloud is engineered with mechanisms for seamless user lifecycle management and automatically, and completely, tackles the complexity of handling Apple\u2019s encryption scheme. Other solutions, such as the Active Directory Connect and Kerberos Single Sign-on (SSO) extensions, can create risks for IT operations such as onboarding, offboarding, and compliance (e.g., GDPR).<\/p>\n\n\n\n

What Are Secure Tokens and Why Should I Care?<\/h2>\n\n\n\n

The root cause for risk is that FileVault\u2019s architecture<\/a> wasn\u2019t designed with LDAP directories and small and medium-sized enterprise (SMS) IT departments in mind. Apple\u2019s solution to many users accessing a volume that\u2019s encrypted by FileVault 2 involves a process that uses Secure Tokens<\/a>, a password-protected key encryption key (KEK) feature that works great on a single end-user\u2019s device, but can swiftly become problematic for IT admins that are managing users from a directory and tokens are missing. <\/p>\n\n\n\n

FileVault uses a symmetric encryption key when drives are encrypted; passwords relate to keys and unblock volumes when the OS boots. SecureTokens become useful when multiple users share a device and have different passwords. Each user has a \u201ckeybag\u201d that encrypts a key with their passwords, so that every user can unlock a volume that has full disk encryption.<\/p>\n\n\n\n

Directories, Secure Tokens, and Keybags<\/h2>\n\n\n\n

This process works smoothly when users are managed on the device through macOS, but problems can arise when operations (such as creating a user or changing a password) occur externally within a directory service. Here are a few examples of where things gets tenuous when operations occur outside of the OS and FileVault\u2019s architecture isn\u2019t supported:<\/p>\n\n\n\n