Want to highlight a helpful answer? Upvote!
Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >
Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >
Hi all,
I was wondering if it would be possible to inspect the status of/require all network users to have full disk encryption enabled on HDs. I've been poking around in profile manager and haven't found anything to that effect. I know it's possible to have FileVault-enabled Portable Home Directories, but I'd rather this extend to the entirety of their HDs.
Thanks!
OS X Mavericks (10.9.2)
Sorry, but FileVault is handled at a Firmware level, below what the operating system has access to.
However, you can monitor it and manage it from the command line using the 'fdesetup' command. For example
fdesetup status
reports back on whether FileVault is enabled or not. Or you might prefer
fdesetup isactive
since the result is easier to analyse in software. You might be able to force your user's computers to run a script which does something useful. Use 'man fdesetup' to find out more.
Sorry, but FileVault is handled at a Firmware level, below what the operating system has access to.
However, you can monitor it and manage it from the command line using the 'fdesetup' command. For example
fdesetup status
reports back on whether FileVault is enabled or not. Or you might prefer
fdesetup isactive
since the result is easier to analyse in software. You might be able to force your user's computers to run a script which does something useful. Use 'man fdesetup' to find out more.
I also could not find anything in Profile Manager regarding forcing Filevault.
I do know however that you can do this with Casper and get a report of Filevault2 compliance. I also know that you can setup the free Crypt software which auto-triggers Filevault2 encryption for the entire hard disk and centrally stores the recovery key. By itself it does not prove a machine is then encrypted but it will not allow a user to login without them starting the encryption process.
So based on Simon's suggestion, I wrote a simple shell script that I would ideally be able to execute at login:
fdesetup status
if [ "$?" != 0 ];
then mail -s "$USER does not have FileVault configured!" addr <<< "USER doesn't have FileVault on, yell at them."
exit 0
# test else else mail -s "$USER does have FileVault configured!" addr <<< "$USER has FileVault on"
fi
As I understand, login scripts are deprecated and cannot be done easily through Server natively. Is there a workaround for this or another method I could try? Perhaps using something like Platypus, converting the script to an app that is run from the server at login?
Profile Manager in Server.app 3.0.3 i.e. Mavericks does still let you configure a login or logout script and it does still work. I mentioned Crypt as a way of enforcing Filevault2 it does this via loginhook script which checks when the user logs in to see if Filevault has been activated.
For Profile Manager go to OS X settings, then Login Windows, then Scripts.
However you can also still configure a loginhook locally on the computer in the normal manner via defaults write. See https://developer.apple.com/library/mac/documentation/macosx/conceptual/bpsystem startup/chapters/CustomLogin.html
A launchagent which is apparently the preferred successor to a loginhook may be fine for most purposes but it runs processes as the user who has just logged in, the problem Crypt has is that in order to automate enabling Filevault2 it needs to do this as root. A loginhook script does run as root and hence allows this.
I didn't have device management enabled, which would explain why I felt I was totally blind and couldn't find the login window options. Thank you for your patience and assistance.
In Profile Manager (server.name/profilemanager):
Device Group -> Settings -> Edit -> OS X and iOS Security & Privacy -> FileVault (OS X Only) -> Require FileVault
Inspect/Enforce full disk encryption via profile manager?
