Currently Being ModeratedApr 7, 2012 10:33 AM (in response to TestBeforeSelling)
My recommendation here would be to avoid filevault on the boot volume, and instead put sensitive data into encrypted disk images or on secondary hard drives that are encrypted. Perhaps one could rewrite the EFI firmware to store the filevault password or encryption keys and automatically unlock the volume, but this would defeat the purpose of FileVault.
As it stands, if you need to do remote work that requires rebooting then you should not enable FileVault on the boot volume.
Currently Being ModeratedApr 7, 2012 11:10 AM (in response to Topher Kessler)
Thanks for your comments. But, as I say, I have to use FDE on the boot volume whether I like it or not, and I have to admin the Macs remotely.
To me it's ridiculous for FDE to impose such a restriction on remote working (or vice versa). Clearly a massive oversight.
More and more remote admins will get hit by this, as and when their organizations insist on ALL drives having FDE as standard, confidential data on them or not, which is where things are heading fast. Our company is not so unusual in that regard, and there will be more to follow.
Currently Being ModeratedApr 7, 2012 11:25 AM (in response to TestBeforeSelling)
One option is to get a KVM switch that has remote access capability, such as the following: http://www.rackmountmart.com/rmLCD/lcdK1039.htm
From here you could reboot the system and provide the initial login credentials to unlock the drive via the switch, followed by directly accessing the system via SSH or VNC (or continuing to use th switch).
Currently Being ModeratedApr 7, 2012 11:39 AM (in response to Topher Kessler)
I can see that would work thanks, but afraid again it's not an option for me. We're simply not allowed to connect our own networking devices, e.g. switches etc, to the company network. This is normal policy in larger organizations, and understandably so.
It was hard enough getting the Macs themselves to be allowed on the network, and every so often I have to fight to keep it that way.
Currently Being ModeratedApr 10, 2012 11:12 AM (in response to TestBeforeSelling)
Just to update after checking out some alternative FDE solutions, I see most of them have taken on board the importance to (and rights of!) admins of being able to remotely reboot the Macs they support. The vendors (e.g. Sophos) provide admins with the means (typically via CLI) to temporarily bypass the inital preboot authentication. Not rocket science of course.
Some would say this approach potentially weakens the security, somewhat defeating the very purpose of FDE. OK, so maybe there is a greater risk in some situations, yet admins are still free to use the feature entirely at their own discretion (and are usually best placed to be aware of the actual conditions they work in).
The important principle to me here is that the paying customers for such software should remain free to choose what they do with the product (short of breaking any licensing rules).
So come on Apple please, let's have solutions that fit real use in the real world! A PBA bypass feature in FV2 would be such a step.
... rant over (and shameless bump!)
Currently Being ModeratedNov 27, 2012 12:38 PM (in response to TestBeforeSelling)
In 10.8.2, Apple built in the ability to initiate an authorized pre-boot authentication bypass via CLI:
sudo fdesetup authrestart
This essentially allows you to provide credentials for the pre-boot authentication when you're initiating the restart action.