All versions of Centrify DirectControl on Mac OS X 10.7 and higherQuestion:
What steps are needed to set up FileVault 2 on Mac OS X?Answer:
Support for FileVault 2 via group policy is available from Centrify Suite 2013.2 onwards (Mac agent version 5.1.1).
In order to allow an AD user to unlock a Mac encrypted with FileVault 2, they first need to be converted to a Mobile Account. See one of the following KBs which most closely closely matches the target environment:
After the Mobile Accounts are created, use the following article for a step-by-step guide:
(Steps for configuration can also be found on page 66 of the Centrify Admin Guide for Mac.)
The following can be helpful in troubleshooting (from Mac Terminal):
sudo fdesetup enableNote 1:
Once FileVault has been enabled, a new login screen will be shown when powering on the Mac. This will have a solid grey background and is different from the Desktop login screen with the textured background:
- The solid grey FileVault login is solely used to unlock the disk for usage. Only users who are added into the FileVault-enabled list will be shown on this screen.
- The regular login screen is the standard Mac login screen for logging into a user's Desktop session. This is the screen that all users see and can login to.
By default, FileVault-enabled machines will automatically log the selected user from the FileVault login screen straight through to their desktop session (skipping the regular desktop login screen), allowing end-users to only see one login screen from bootup.
To disable this behaviour and restore the Desktop login screen to be shown after unlocking the FileVault, the following group policy will also need to be enabled:
- Computer Configuration / Centrify Settings / Mac OS X Settings / Security & Privacy / FileVault 2 / "Disable automatic login"
Further information on this setting can also be found in this Apple KB: http://support.apple.com/kb/HT5989Note 2:
FileVault 2 does not support smart card authentication.
Please see the following KB for more information:
In OS X 10.6, FileVault only protects the user's home directory by storing just that folder in an encrypted disk image file.
In OS X 10.7, FileVault 2 is a full disk encryption solution and cannot create a disk image for an individual user.