Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: mcllama
mcllama Author
User level: Level 1
8 points

Enable network user accounts to unlock encrypted Mac (OpenDirectory/FileVault)

How does one go about allowing network user accounts to unlock an encrypted Mac?


I have an iMac client with MacOS Mojave 10.14.5 installed and bound to an OpenDirectory server. If the HD isn't encrypted (FileVault off) I am given a Name and Password field on startup. If FileVault is turned on I am presented with the Admin account and a prompt for a password to unlock the drive.


I'd hoped to be able to log in as the Admin and find an 'Enable Users' button in the FileVault settings but that's not the case.


I'd really appreciate it if anyone has any pointers.

Posted on Jul 3, 2019 2:30 PM

Reply
Question marked as Best reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,685 points

Posted on Jul 5, 2019 9:08 AM

It depends on your definition of a network user.


At the pre-boot stage that is running when a FileVault2 login is occurring the Mac has no network connection running at all and you cannot use a full blown network account because without a network connection it will not be able to contact the directory server. Furthermore the pre-boot login is only allowing accounts that have been explicitly allowed and this is achieved by having their credentials stored in the pre-boot login environment which obviously is not part of the main boot environment since the main boot environment is at that point stored on the encrypted drive and not accessible.


What is possible is to create a 'mobile' account. This is a local user account which is linked to and synchronised with a directory service such as Open Directory or Active Directory. With a mobile account you have a matching local account that can be used even when you have no network connection or are for any other reason e.g. being out of the office and unable to communicate with the Directory Server. Unless you laboriously created mobile accounts to mirror each and every single network user account only those you have added as mobile accounts and enabled for FileVault2 logins would be able to login for FileVault2 purposes.


The creation of a 'mobile' account is triggered when you login to a Mac using a network login account and the computer has been told to then automatically or offer to create a mobile account. (Often the default behaviour.)

View in context

Similar questions

4 replies
Question marked as Best reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,685 points

Jul 5, 2019 9:08 AM in response to mcllama

It depends on your definition of a network user.


At the pre-boot stage that is running when a FileVault2 login is occurring the Mac has no network connection running at all and you cannot use a full blown network account because without a network connection it will not be able to contact the directory server. Furthermore the pre-boot login is only allowing accounts that have been explicitly allowed and this is achieved by having their credentials stored in the pre-boot login environment which obviously is not part of the main boot environment since the main boot environment is at that point stored on the encrypted drive and not accessible.


What is possible is to create a 'mobile' account. This is a local user account which is linked to and synchronised with a directory service such as Open Directory or Active Directory. With a mobile account you have a matching local account that can be used even when you have no network connection or are for any other reason e.g. being out of the office and unable to communicate with the Directory Server. Unless you laboriously created mobile accounts to mirror each and every single network user account only those you have added as mobile accounts and enabled for FileVault2 logins would be able to login for FileVault2 purposes.


The creation of a 'mobile' account is triggered when you login to a Mac using a network login account and the computer has been told to then automatically or offer to create a mobile account. (Often the default behaviour.)

Reply
User profile for user: mcllama
mcllama Author
User level: Level 1
8 points

Jul 4, 2019 4:52 AM in response to ClassicII

Hi ClassicII, many thanks for taking the time to reply.

I have tried as you suggested but sadly it didn't work as the OD user couldn't be authenticated. This doesn't make sense to me. The Mac is bound to the OD and if one logs out of the ADMIN account (the only local account) one can then log in as any of the OD users.


This is what I entered and received in terminal (just in case I've made an error)


iMac:~ admin$ sudo fdesetup add -user USERNAME -usertoadd ADMIN

Enter the password for user 'USERNAME':

Enter the password for the added user 'ADMIN':

Error: User 'USERNAME' could not be found.

OD user 'USERNAME' could not be authenticated.

Error: Unable to add one or more users to FileVault. (11)


The sudo fdesetup list shows only the local ADMIN account.


If you any further advice I'd really appreciate it.


Thanks



Reply
User profile for user: ClassicII
ClassicII
User level: Level 4
1,097 points

Jul 3, 2019 7:51 PM in response to mcllama

Yes, you should be able to do this. Multiple users can unlock FileVault at the PreBoot when you first turn the mac on.


If you go int system preferences > Security & Privacy > FileVault


You should see a button that says "Enable Users" Inside that should be your directory account.


If not you can still enable the user in terminal using.


sudo fdesetup add -user directoryuserhere -usertoadd adminuserhere


Then check by running


sudo fdesetup list





Reply

Enable network user accounts to unlock encrypted Mac (OpenDirectory/FileVault)

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up