How can administrators add additional Users to unlock a Mac with FileVault2 enabled, other than the "Managed By" User? Answer:
Using Centrify Group Policy to enable File Vault2 (for both Institutional and Personal Key options) will need a “Managed By” User for the Computer Object in Active Directory. This will allow this User to be able to unlock the drive after reboot, and will sync the password as well.
If additional Users are needed, a Local Administrator on the Mac (whether added manually, or a Network user with elevated permissions using Group Policy) can add additional members which have a Mobile account on the Mac, to the Unlock list in two ways;Option 1 - using System Preferences
1. On the Mac, browse to System Preferences >> Security & Privacy >> FileVault >> and click“Enable Users” button
2. On the next screen, the Administrator will see all local and mobile (Network) Users. Here, choose to "Enable User" to add them to the Unlock list.
3. When selected, this User will need to enter their Password in order to sync with FileVault to allow this User to also unlock the drive after reboot.
4. Once complete, there will be a green check box for the additional User(s) enabled to Unlock the drive after a reboot.Option 2 - using Terminal
1. An Administrator will need to have credentials for the Local Administrator on the Mac (whether added manually, or a Network user with elevated permissions using Group Policy) . Open Terminal and enter the following command: sudo fdesetup add -usertoadd <username_to_add>
2. Next, there will be a prompt to enter a Password for FileVault2. Administrators should enter the password used to unlock the drive, or the recovery key. Once complete, the the new user will also need to enter the password to be added to the Unlock list.
Once completed, upon reboot, the new user account will be able to unlock the drive using the password supplied, as well as the user listed in the "Managed by" attribute for the Mac Computer object in Active Directory.