Scotch_Brawth

Q: FileVault 2: Prevent new accounts from unlocking on boot?

Hi,

 

I followed a different, though supported, method for encrypting my boot disk: clone the contents, format the drive as HFS encrypted, then clone the contents back.  This gives you a unique boot password that takes you straight to the login screen, and no users can unlock the drive.  Yesterday I created a new user, and today discovered that it had appeared on the boot screen.  Selecting then entering the password for that user unlocked the drive and took me straight into that account.

 

I followed the steps to remove the password from the user using this tutorial, but contrary to expectations, this didn't remove the option to log in as this user at the boot screen.  It also didn't change the password for that user at the boot screen.  However, it wouldn't automatically log in as that user because the user's password was now blank; so, it only went as far as the login screen.  So, it seems the method outlined in the tutorial doesn't work for user accounts created after FileVault 2 has been enabled. 

 

Don't suppose anyone knows a way of creating new users without granting them automatic rights to unlock the drive?

Mac mini (Mid 2011), OS X Mountain Lion, 8GB RAM, 500GB HDD

Posted on Jan 18, 2013 11:46 PM

Close

Q: FileVault 2: Prevent new accounts from unlocking on boot?

  • All replies
  • Helpful answers

  • by Scotch_Brawth,

    Scotch_Brawth Scotch_Brawth Feb 1, 2013 1:31 PM in response to Scotch_Brawth
    Level 3 (820 points)
    Feb 1, 2013 1:31 PM in response to Scotch_Brawth

    No-one?

  • by Eric Root,

    Eric Root Eric Root Feb 1, 2013 2:33 PM in response to Scotch_Brawth
    Level 9 (72,884 points)
    iTunes
    Feb 1, 2013 2:33 PM in response to Scotch_Brawth

    What do you see if you go to System Preferences/Security & Privacy/FileVault?

     

    Screen Shot 2013-02-01 at 5.31.24 PM.png

     

    Have you tried creating a standard user instead of an admin user?

  • by Scotch_Brawth,

    Scotch_Brawth Scotch_Brawth Feb 1, 2013 4:19 PM in response to Eric Root
    Level 3 (820 points)
    Feb 1, 2013 4:19 PM in response to Eric Root

    Thanks for replying

    What do you see if you go to System Preferences/Security & Privacy/FileVault?

    It shows that both of my current users (1 admin, 1 standard) are unable to unlock the disk.  This is the expected and desired behaviour.

    Have you tried creating a standard user instead of an admin user?

    It was a standard user.

  • by Eric Root,

    Eric Root Eric Root Feb 2, 2013 8:59 AM in response to Scotch_Brawth
    Level 9 (72,884 points)
    iTunes
    Feb 2, 2013 8:59 AM in response to Scotch_Brawth

    From System Preferences Help:

     

    If the computer has multiple users, a list of users appears. You can enable a user to allow them to log in after the computer starts up. If they are not enabled, an administrator will need to log in first, before the user can log in.

     

    Are you logging in as an admin and then the other user? Try a restart and see if you can log in first as the standard user.

  • by Scotch_Brawth,

    Scotch_Brawth Scotch_Brawth Feb 2, 2013 2:53 PM in response to Eric Root
    Level 3 (820 points)
    Feb 2, 2013 2:53 PM in response to Eric Root

    I'm afraid you've misunderstood.  The method I'm using doesn't involve any user logging-in at all.  The drive itself has its own password that is unrelated to any user.  When I boot, I'm prompted for the drive's password, and then simply proceed directly to the Login screen.  This is an Apple-supported use of FileVault 2.

     

    My issue is that, as soon as I create a new user, it automatically gains the right to decrypt the drive on boot using its own password.  So, to clarify: if I create a new user, then restart the machine, I'm presented with two options:

    1) Enter the password for the new user.  This causes the drive to be decrypted, and the OS to proceed to boot directly to that user's account.

    2) Enter the drive's password.  This decrypts the drive and takes me to the Login screen.

     

    I hope that makes things clearer.  (2) is all I want; (1) is not wanted at all.

  • by mcacovic,

    mcacovic mcacovic Jun 18, 2013 9:13 AM in response to Scotch_Brawth
    Level 1 (0 points)
    Jun 18, 2013 9:13 AM in response to Scotch_Brawth

    I am also banging my head over the same issue re: as soon as I create a new user, it automatically gains the right to decrypt the drive on boot using its own password.

     

    Oddly enough, when I bind the Mac to AD, the AD account is NOT automatically enabled to unlock FV2 (as expected).

     

    I create a master image of OS X then clone to client computers. The computer is encrypted afterwards.

     

    Really odd behavour!

  • by KeithEllis,

    KeithEllis KeithEllis Jun 13, 2015 3:19 AM in response to Scotch_Brawth
    Level 1 (30 points)
    Jun 13, 2015 3:19 AM in response to Scotch_Brawth

    I realise this is an old post but I was having the same problem.  I think I have found a resolution.  Remove the password for the user who which you do not want to be able to unlock FileVault.

     

    Instructions are here

     

    http://www.engadget.com/2011/12/12/prevent-certain-accounts-from-unlocking-filev ault-2/

     

    Keith.