{"id":58590,"date":"2022-01-28T11:00:00","date_gmt":"2022-01-28T16:00:00","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=58590"},"modified":"2022-11-02T14:43:03","modified_gmt":"2022-11-02T18:43:03","slug":"jumpcloud-circumvents-filevault-2-perils","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/jumpcloud-circumvents-filevault-2-perils","title":{"rendered":"JumpCloud Circumvents FileVault 2 Perils"},"content":{"rendered":"\n
Managing Macs that have disks encrypted by FileVault 2 can be challenging, and even perilous with the potential for data loss. Directory services must have the capacity to operate as macOS would to navigate the issues that could arise from inadequate integration and support. JumpCloud is engineered with mechanisms for seamless user lifecycle management and automatically, and completely, tackles the complexity of handling Apple\u2019s encryption scheme. Other solutions, such as the Active Directory Connect and Kerberos Single Sign-on (SSO) extensions, can create risks for IT operations such as onboarding, offboarding, and compliance (e.g., GDPR).<\/p>\n\n\n\n
The root cause for risk is that FileVault\u2019s architecture<\/a> wasn\u2019t designed with LDAP directories and small and medium-sized enterprise (SMS) IT departments in mind. Apple\u2019s solution to many users accessing a volume that\u2019s encrypted by FileVault 2 involves a process that uses Secure Tokens<\/a>, a password-protected key encryption key (KEK) feature that works great on a single end-user\u2019s device, but can swiftly become problematic for IT admins that are managing users from a directory and tokens are missing. <\/p>\n\n\n\n FileVault uses a symmetric encryption key when drives are encrypted; passwords relate to keys and unblock volumes when the OS boots. SecureTokens become useful when multiple users share a device and have different passwords. Each user has a \u201ckeybag\u201d that encrypts a key with their passwords, so that every user can unlock a volume that has full disk encryption.<\/p>\n\n\n\n This process works smoothly when users are managed on the device through macOS, but problems can arise when operations (such as creating a user or changing a password) occur externally within a directory service. Here are a few examples of where things gets tenuous when operations occur outside of the OS and FileVault\u2019s architecture isn\u2019t supported:<\/p>\n\n\n\n Apple has system tools that run checks to avoid these scenarios, but an external directory that\u2019s not built for Apple could potentially wreak havoc when it fails to interoperate with macOS.<\/p>\n\n\n\n Fortunately, JumpCloud\u2019s macOS agent has mechanisms that replicate what the OS does. The agent works hand in hand with mobile device management (MDM) to manage the user device lifecycle and control the potential risks of mishandling FileVault. JumpCloud is an official Apple MDM provider and uses that framework to deliver configuration and security payloads to devices without user intervention. MDM is an extension of the multi-OS JumpCloud cloud directory, which provides secure access to resources, no matter where they\u2019re located.<\/p>\n\n\n\n It should be noted that Active Directory (AD) cannot accomplish this. The doomsday scenarios outlined above can and will happen. The AD sync tool for Apple is essentially abandonware, because it fails to meet these requirements. The more recent Kerberos<\/a> kernel extension for Microsoft\u2019s directory services will keep passwords for cloud services in sync, but it cannot keep user passwords in sync for local devices nor can it operate at the macOS login window.<\/p>\n\n\n\n In comparison, JumpCloud also supports single sign-on (SSO)<\/a> with a library of pre-built connectors and SCIM support to automate user provisioning; it has connectivity covered on Mac devices and beyond.<\/p>\n\n\n\n The JumpCloud platform<\/a> connects you securely, to more resources, and is free for 10 devices and 10 users<\/a> with complimentary premium chat support. Support is available 24×7\/365 within the first 10 days of your account\u2019s creation. MDM is fully integrated within the JumpCloud console and our directory agent can coexist with Active Directory.<\/p>\n","protected":false},"excerpt":{"rendered":" JumpCloud is engineered with mechanisms for seamless user lifecycle management to manage FileVault2 encryption access.<\/p>\n","protected":false},"author":150,"featured_media":47852,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"categories":[23],"tags":[2466,2626,2389,2435,2627,2467],"collection":[2778,2775],"platform":[],"funnel_stage":[3015],"coauthors":[2535],"acf":[],"yoast_head":"\nDirectories, Secure Tokens, and Keybags<\/h2>\n\n\n\n
JumpCloud\u2019s Client and MDM Work with macOS<\/h2>\n\n\n\n
Try JumpCloud<\/h2>\n\n\n\n