Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-6960 Adding additional Users to FileVault unlock group after enabled with Group Policy

2 June,16 at 05:29 PM

Applies to: Centrify Identity Service: Mac Edition



Question:

How can administrators add additional Users to unlock a Mac with FileVault2 enabled, other than the "Managed By" User?
 


Answer:

Using Centrify Group Policy to enable File Vault2 (for both Institutional and Personal Key options) will need a “Managed By” User for the Computer Object in Active Directory. This will allow this User to be able to unlock the drive after reboot, and will sync the password as well.
 
If additional Users are needed, a Local Administrator on the Mac (whether added manually, or a Network user with elevated permissions using Group Policy) can add additional members which have a Mobile account on the Mac, to the Unlock list in two ways;



Option 1 - using System Preferences

1. On the Mac, browse to System Preferences >> Security & Privacy >> FileVault >> and click“Enable Users” button

User-added image

2. On the next screen, the Administrator will see all local and mobile (Network) Users. Here,  choose to "Enable User" to add them to the Unlock list.

User-added image

3. When selected, this User will need to enter their Password in order to sync with FileVault to allow this User to also unlock the drive after reboot.

User-added image

4. Once complete, there will be a green check box for the additional User(s) enabled to Unlock the drive after a reboot.

User-added image




Option 2  - using Terminal

1. An Administrator will need to have credentials for the Local Administrator on the Mac (whether added manually, or a Network user with elevated permissions using Group Policy) . Open Terminal and enter the following command:

     sudo fdesetup add -usertoadd <username_to_add>

2. Next, there will be a prompt to enter a Password for FileVault2. Administrators should enter the password used to unlock the drive, or the recovery key. Once complete, the the new user will also need to enter the password to be added to the Unlock list.

User-added image

Once completed, upon reboot, the new user account will be able to unlock the drive using the password supplied, as well as the user listed in the "Managed by" attribute for the Mac Computer object in Active Directory.
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.