Managing Macs that have disks encrypted by FileVault 2 can be challenging, and even perilous with the potential for data loss. Directory services must have the capacity to operate as macOS would to navigate the issues that could arise from inadequate integration and support. 探花大神 is engineered with mechanisms for seamless user lifecycle management and automatically, and completely, tackles the complexity of handling Apple鈥檚 encryption scheme. Other solutions, such as the Active Directory Connect and Kerberos Single Sign-on (SSO) extensions, can create risks for IT operations such as onboarding, offboarding, and compliance (e.g., GDPR).
What Are Secure Tokens and Why Should I Care?
The root cause for risk is that wasn鈥檛 designed with LDAP directories and small and medium-sized enterprise (SMS) IT departments in mind. Apple鈥檚 solution to many users accessing a volume that鈥檚 encrypted by FileVault 2 involves a process that uses , a password-protected key encryption key (KEK) feature that works great on a single end-user鈥檚 device, but can swiftly become problematic for IT admins that are managing users from a directory and tokens are missing.
FileVault uses a symmetric encryption key when drives are encrypted; passwords relate to keys and unblock volumes when the OS boots. SecureTokens become useful when multiple users share a device and have different passwords. Each user has a 鈥渒eybag鈥 that encrypts a key with their passwords, so that every user can unlock a volume that has full disk encryption.
Directories, Secure Tokens, and Keybags
This process works smoothly when users are managed on the device through macOS, but problems can arise when operations (such as creating a user or changing a password) occur externally within a directory service. Here are a few examples of where things gets tenuous when operations occur outside of the OS and FileVault鈥檚 architecture isn鈥檛 supported:
- Users that have passwords changed externally without re-creating a key, locally, will be locked out of keybags (making decryption impossible).
- Actions such as deleting users who have tokens or creating new users without tokens invites data loss and noncompliance (or support calls, if you鈥檙e lucky).
Apple has system tools that run checks to avoid these scenarios, but an external directory that鈥檚 not built for Apple could potentially wreak havoc when it fails to interoperate with macOS.
探花大神鈥檚 Client and MDM Work with macOS
Fortunately, 探花大神鈥檚 macOS agent has mechanisms that replicate what the OS does. The agent works hand in hand with mobile device management (MDM) to manage the user device lifecycle and control the potential risks of mishandling FileVault. 探花大神 is an official Apple MDM provider and uses that framework to deliver configuration and security payloads to devices without user intervention. MDM is an extension of the multi-OS 探花大神 cloud directory, which provides secure access to resources, no matter where they鈥檙e located.
It should be noted that Active Directory (AD) cannot accomplish this. The doomsday scenarios outlined above can and will happen. The AD sync tool for Apple is essentially abandonware, because it fails to meet these requirements. The more recent Kerberos kernel extension for Microsoft鈥檚 directory services will keep passwords for cloud services in sync, but it cannot keep user passwords in sync for local devices nor can it operate at the macOS login window.
In comparison, 探花大神 also supports single sign-on (SSO) with a library of pre-built connectors and SCIM support to automate user provisioning; it has connectivity covered on Mac devices and beyond.
Try 探花大神
The 探花大神 platform connects you securely, to more resources, and with complimentary premium chat support. Support is available 24×7/365 within the first 10 days of your account鈥檚 creation. MDM is fully integrated within the 探花大神 console and our directory agent can coexist with Active Directory.
