Can a guest login with File Vault?

Question

Can a guest login with File Vault?

The new FileVault 2 is nice, I like that it encrypts the whole disk. However, how does this work with guest users? I want to use Undercover on my Mac so I can track it if it's stolen, but this kind of requires someone to be able to login to the Mac so they can connect to the internet, etc. Thus, I keep a guest user enabled on the machine so they can do this.

But, if a guest user cannot login to a FileVault-locked machine, I can't track them, and my Mac is gone for good. They can't decrypt my disk--but big whoop, *I* can no longer get to my data, either. If I could encrypt my disk with FileVault, and still allow a guest user to login, then not only can they not access my data no matter what, but I can also recover my machine.

Any solution for this?

/mike

Various, including MacBook Pro, Powerbook G4, iMac G5, and Intel iMac, Mac OS X (10.5.6)

Posted on Jul 23, 2011 1:32 PM

Reply

Answer 1

Jul 23, 2011 1:40 PM in response to Mike Mitchell4

My concerns exactly.

Being an Undercover user myself, I am writing right now to Orbicule in order to know how their software would work with this 😉 They should know something.

support@orbicule.com

Hope it helps.

JJ

Reply

Answer 2

Jul 23, 2011 1:46 PM in response to rolandomerida

I already did that. They said:

"As you pointed out, Filevault 2 does not allow the Mac to boot, unless you know the password. As a result, no apps can be run without the password. This includes Undercover, and even Apple's own FindMyMac software.

So basically you have to choose between protecting your data with FileVault or having a chance to recover your Mac. I'm sorry to say this, but this is how Apple has designed FileVault 2.

We have been looking for a workaround, but right now none does exist. It's a shame indeed."

/mike

Reply

Answer 3

Jul 23, 2011 1:53 PM in response to Mike Mitchell4

Wow, that's terrible. They haven't replied yet to my email, so thanks for the update. This kind of things should be mentioned somewhere when talking about apps NOT compatible with Lion or with some of its features.

In this case, it's a real bummer!

Thanks.

JJ

Reply

Answer 4

tonywong

Level 1

15 points

Aug 5, 2011 12:52 PM in response to Mike Mitchell4

You can use legacy file vault to encrypt just your user and have guest logins, or you can create a single standard user and put the password in the hint field, or have your system automatically log into the standard user.

For example, I turned made a standard account with the name 'publicuser' and a three letter password and put that into the hint field.

Reply

Answer 5

Aug 5, 2011 1:13 PM in response to tonywong

Thanks. The first is a reasonable suggestion.

I don't know whether the second is helpful. Mainly I don't know this because I don't know what having a user account who's enabled to unlock the disk truly enables them to do. If a user can unlock the disk, can they then just login and see the disk contents they normally have access to (which can be locked down with permissions), or can they then somehow get onto the disk via a remote mount or something similar and pull the data off the disk, having unlocked it?

What I'd like is for the Guest user to be able to login and use the computer, but otherwise not have the disk unlocked for any other means of access. Not sure that's possible.

Reply

Answer 6

tonywong

Level 1

15 points

Aug 5, 2011 1:55 PM in response to Mike Mitchell4

A standard user will require an administrator password to change settings like file vault or log in changes, but it definitely has more priviledges than a guest user.

A standard user should only be able to access their home folder and have limited access to the applications folder. Adding or deleting things to the apps folder triggers an administrator level authentication request.

The only reason why I found this thread is because I'm looking to do exactly the same thing as you, but File Vault 2 and guest logins are currently incompatible.

Reply