Many administators still don't realize that anyone can walk up to a non-protected Mac, power-cycle the computer, boot into Recovery Mode, and change anyone's password, including the System Administrator (root account). It's that simple.
Luckily, there is an easy and efficient way of encrypting your Mac disk drives, and you can leverage Centrify to centralize the management.
Encrypting the disk drive on your Mac computer, via FileVault 2 (FV2) and Centrify, provides a number of benefits:
- FV2 is a native disk encryption tool on the Mac OS X platform
- FV2 provides mitigation against someone booting into recovery mode and changing the user passwords
- Centrify policy enables FV2 enforcement and the ability to use an institutional recovery key for administrators (personal keys can still be used). So, if users forget their password to unlock the FileVault, the designated Mac Administrator can come and save the day
- Once the FileVault is unlocked from the EFI/FV2 prompt, the user, by default, will be automatically logged in to the Mac desktop; however, there is an associated FV2 policy to prevent this behavior called
- The Mac OS X computer must be running OS X 10.9 or higher
- The Mac OS X computer must have the OS X Recovery partition installed/configured (# diskutil list | grep Recovery)
- The local hostname must be the same as the AD-joined name
- Install the latest Centrify DC agent, and join the Mac computer to your AD domain
- You’ll need an AD user with proper Domain Admin permissions for the initial setup
- Verify that no other 3rd-party is being used to enable FV2; if it is, disable the current FV2 enforcement before proceeding
- You will need to identify an initial Mobile AD user that will be used to manage the Mac OS X computer; users with local home directories cannot be used for this initial setup
Step 1 - Create/Export the FV2 Master Keychain Certificate
NOTE - This step is for configuring and using an Institutional Recovery Key; if you plan to use personal recovery keys, skip this section.
- Login to the Mac as an administrative user, and go to Systems Preferences > Users & Groups. If the Settings are locked, unlock the Settings option by clicking on the lock icon in the lower left-hand corner and authenticating.
- Select an administrator’s account, click on the small service icon (gear), and select “Set Master Password…”; enter a master password, re-type it under Verify, and click OK. Finally, Lock the Settings by clicking the lock icon:
- Next, open /Library/Keychains in Finder, and double-click on FileVaultMaster.keychain; this will open up Keychain Access. Click on the “FileVault Recovery Key”, and select “Export…”. Save as “FileVaultMasterCert” in .cer format:
NOTE - Copy the certificate to a domain server that will be used to administrate the GPO’s; we will upload this certificate into the Group Policy at a later step in this article. Also, store this certificate in a safe place.
Step 2 (optional) - Enable BitLocker Recovery Password Viewer in AD
NOTE - This step is for configuring and using personal recovery keys; if you plan to use an institutional recovery key, skip this section.
- On your Domain Controller, open Administrative Tools > Server Manager, and select "Add Roles and Features". Step through the Wizard until you get to "Features", and expand Remote Server Admin. Tools > Feature Admin. Tools. Select “BitLocker Drive Encryption Admin. Utilities” and all of the Roles underneath it, click Next, and click Install. After the Utilities are installed, click Close:
- To verify that the Utilities are installed,check the Properties of your Domain Controller object in ADUC, and you should now see a new "BitLocker Recovery" tab:
Step 3 - Create a Mobile AD User for Unlocking the FileVault
- You can select any AD user for unlocking the FileVault, but this account will be the only 'initial' user that can perform the unlock and authenticate to the Mac. We will add additional accounts later in this article once the FV2 enablement is complete. (e.g. create a shared account called “FileVault Recovery” and secure the password in a vault).
- The example that we will use here specifies a network home directory for the Mobile AD user and implements basic synchronization settings, thus making it an account with a portable home directory.
- Create and assign a network home folder for your Mobile AD user account. You can use the following two support articles from Microsoft as a reference to perform this task:
- Open the Group Policy Managment Console, and create a new, or edit an existing Mac-related “User” GPO. This can be a default domain policy or a policy created for a specific OU. Once the GP Editor is open, expand User Configuration > Policies > Centrify Settings > Mac OS X Settings > Mobility Settings, and set the “Use version specific settings” policy to Enabled.
- In the Mobility Settings folder, select the folder which correlates to the OS X release that you have (e.g. “Mac OS X 10.8 or above Settings” for 10.11 El Capitan), and set the “Configure mobile account creation” policy to Enabled:
NOTE - You can select whichever policy attributes above that meet your specific requirements.
- If you want to encrypt the mobile home directory for any “new” Mobile AD account that gets created at login time, set the “Configure mobile account options” policy to Enabled, and select the appropriate fields.
- Enable any additional login/logout “Synchronization Rules” policies that meet your specific requirements.
- For additional references on establishing Mobile AD user accounts, you can reference one of the following resources:
- Centrifying Mobile Blog
- Centrify KB-2896: Setting up Mobile Accounts, via GP, in Auto Zone mode
- Centrify KB-2897: Setting up Mobile Accounts, via GP, in Zone mode
- Centrify KB-3064: Converting Network Account w/o homedir into Mobile Account
Step 4 - Assign the Authorized Mobile AD User to Manage the Mac Encrypted Disk
- Open the Mac computer object Properties in ADUC, and select the “Managed By” tab.
- Click “Change", add the Mobile AD user from the previous section, and then select OK:
NOTE - You can automate this step for all subsequent AD-joined Mac computers with the Centrify Server Suite API's (e.g. adedit for UNIX/Linux or PowerShell for Windows):
Step 5 - Enable the FV2 Group Policies
- Open the Group Policy Managment Console, and create a new, or edit an existing Mac-related “Computer” GPO. This can be a default domain policy or a policy created for a specific OU. Once the GP Editor is open, expand Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > FileVault 2, and set the “Enable FileVault 2” policy to Enabled. Select and upload the certificate that you previously exported and copied over:
NOTE - If you plan to use personal recovery keys, leave the “Use Institutional Recovery Key” box un-checked. In this case, the personal key will be created and sent to the Mac computer object in AD when the Mac is rebooted (or restarts the agent), logs in, and logs back out. If applicable, set the “Disable automatic login” policy to Enabled.
- Don’t run adgpupdate yet; you will sync the policies in the next section.
Step 6 - Activating FV2 and Verification
NOTE - Although starting up the Mac computer requires the authorized Mobile AD user to decrypt the disk, after this account is logged in to the desktop, they may log out to allow other network users to login (you can optionally enable the “Disable automatic login” policy from the previous section to prevent this behavior).
- Log in as the Mobile AD user account (aka, the “Managed By” user), open Terminal, and run “adgpupdate” on the Mac (or optionally wait for the next GP refresh):
mac-capitan:~ dwirth$ adgpupdate Refreshing Computer Policy... Success Refreshing User Policy... Success mac-capitan:~ dwirth$
- Go to System Preferences > Users & Groups, and verify that “Mobile” is listed under the Mobile AD user account:
- Log out as the Mobile AD user account; this will trigger the mobility sync; log back in as the Mobile AD user account and then log back out again.
NOTE - If you’re not presented with a FileVault enablement password prompt, it may be due to the Mobile AD user account previously logging into this Mac; in this case, try rebooting, then log in, and log back out as the user.
- At the FileVault enablement prompt, enter the password for the Mobile AD user to add that account to the FileVault as the Managed By user. You will then see a prompt that FileVault is being enabled, and the Mac computer will reboot.
- At the EFI/FV2 login prompt, enter the password of the Mobile AD user account. If the “Disable automatic login” policy is Enabled, you will be presented with the standard network login prompt; if not, then you will automatically be logged into the Mac desktop envrionment as the Mobile AD user account.
- Go to System Preferences > Security & Privacy > FileVault, and verify that FileVault is enabled and that the disk is encrypting. Once the disk encryption is complete, you can enable additional (existing) local accounts to unlock the FileVault by going to System Preferences > Security & Privacy > FileVault, unlock the lock icon, and select the “Enable Users…” option (the user does not have to be an Aministrator to be enabled for unlocking the FileVault).
NOTE - any pre-existing local users will need to be “Enabled” via FileVault “Enable Users…” in System Preferences; any new local users are automatically added to FileVault.
- For enabling additional Mobile AD user accounts, make sure that the user has a defined network home directory, and log in to the Mac. The new Mobile AD user account will see a message, “Create a mobile account with a portable home directory?”. Select Yes, and then that Mobile AD user will now show up in the FileVault “Enable Users…” option.
- Once all available users are enabled to unlock the FileVault, you will no longer see the FileVault “Enable Users…” option in System Preferences.
- You can use the following command in the Terminal to see if a “Managed By” user has been specified for the Mac:
mac-capitan:~ dwirth$ adquery user --attribute managedBy mac-capitan$ CN=Diana Wirth,OU=IT,OU=Staff,DC=centrify,DC=vms mac-capitan:~ dwirth$
- For any additional Mac’s that you want to enable FileVault 2 on, join the Mac to your domain, via the DirectControl agent, update the “Managed By” field in the computer object, and make sure that the computer object resides in the OU where FileVault policies are being applied. Any mobile AD user accounts will need to login to the new Mac to create the Mobile user account locally before it can be enabled for unlocking the disk.
Appendix - How to Disable FV2
- Open the Group Policy Managment Console, and edit the existing Mac-related “Computer” GPO at Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > FileVault 2.
- Set the “Enable FileVault 2” and "Disable automatic login" policies to “Not configured”.
- Turn off FileVault manually from System Preferences (disabling the policies above does not turn off FileVault; it has to be done manually)
- Restart the Mac computer, and verify that the FileVault prompt doesn’t appear.
- Open FileVault in Systems Preferences; wait until the disk finishes decrypting and FileVault displays the status of "turned off".
- Disable the mobility settings associated with the FileVault user (optional)
- Clear the “Managed By” field for the Mac computer object
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.