User profile for user: Scotch_Brawth
Scotch_Brawth Author
User level: Level 3
827 points

FileVault 2: Prevent new accounts from unlocking on boot?

Hi,


I followed a different, though supported, method for encrypting my boot disk: clone the contents, format the drive as HFS encrypted, then clone the contents back. This gives you a unique boot password that takes you straight to the login screen, and no users can unlock the drive. Yesterday I created a new user, and today discovered that it had appeared on the boot screen. Selecting then entering the password for that user unlocked the drive and took me straight into that account.


I followed the steps to remove the password from the user using this tutorial, but contrary to expectations, this didn't remove the option to log in as this user at the boot screen. It also didn't change the password for that user at the boot screen. However, it wouldn't automatically log in as that user because the user's password was now blank; so, it only went as far as the login screen. So, it seems the method outlined in the tutorial doesn't work for user accounts created after FileVault 2 has been enabled.


Don't suppose anyone knows a way of creating new users without granting them automatic rights to unlock the drive?

Mac mini (Mid 2011), OS X Mountain Lion, 8GB RAM, 500GB HDD

Posted on Jan 18, 2013 11:46 PM

Reply
7 replies
User profile for user: Eric Root
Eric Root
User level: Level 10
685,293 points

Feb 2, 2013 8:59 AM in response to Scotch_Brawth

From System Preferences Help:


If the computer has multiple users, a list of users appears. You can enable a user to allow them to log in after the computer starts up. If they are not enabled, an administrator will need to log in first, before the user can log in.


Are you logging in as an admin and then the other user? Try a restart and see if you can log in first as the standard user.

Reply
User profile for user: Scotch_Brawth
Scotch_Brawth Author
User level: Level 3
827 points

Feb 2, 2013 2:53 PM in response to Eric Root

I'm afraid you've misunderstood. The method I'm using doesn't involve any user logging-in at all. The drive itself has its own password that is unrelated to any user. When I boot, I'm prompted for the drive's password, and then simply proceed directly to the Login screen. This is an Apple-supported use of FileVault 2.


My issue is that, as soon as I create a new user, it automatically gains the right to decrypt the drive on boot using its own password. So, to clarify: if I create a new user, then restart the machine, I'm presented with two options:

1) Enter the password for the new user. This causes the drive to be decrypted, and the OS to proceed to boot directly to that user's account.

2) Enter the drive's password. This decrypts the drive and takes me to the Login screen.


I hope that makes things clearer. (2) is all I want; (1) is not wanted at all.

Reply
User profile for user: mcacovic
mcacovic
User level: Level 1
0 points

Jun 18, 2013 9:13 AM in response to Scotch_Brawth

I am also banging my head over the same issue re: as soon as I create a new user, it automatically gains the right to decrypt the drive on boot using its own password.


Oddly enough, when I bind the Mac to AD, the AD account is NOT automatically enabled to unlock FV2 (as expected).


I create a master image of OS X then clone to client computers. The computer is encrypted afterwards.


Really odd behavour!

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

FileVault 2: Prevent new accounts from unlocking on boot?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up