Loading...

How to add an Active Directory user to FileVault
技術的な記事 ID:   KB79648
最終更新:  7/9/2019
評価:


環境

McAfee Management of Native Encryption (MNE) 5.x, 4.x

For details of MNE supported environments, see KB79375.

問題

When MNE is deployed, you need to add Active Directory users to FileVault. By default, FileVault adds the currently logged on local user on the OS X system as a FileVault-enabled user.

But, Active Directory users on Mac OS X are not added as FileVault users, if either of the following is not available on the system:
  • The Active Directory user home folder
    Or
  • Mobile account 

解決策

To add the Active Directory user as a FileVault user:
  1. On the Mac, open ApplicationsSystem PreferencesUsers & Groups.
  2. Select Login Options, and then click the lock. Now make changes and type the administrator's user credentials.
  3. Click Edit next to registered Network Account Server, and then click Open Directory Utility.
  4. Click the lock. Now make changes and type the administrator's user credentials.
  5. To open the Advanced Options, select and double-click Active Directory under Name.
  6. In the User Experience section under Advanced Options, enable Create mobile account at login, then click OK to save your changes.
  7. Quit the Directory Utility application and System Preferences.
  8. Log off and log back into OS X with the Active Directory user credentials.
    NOTE: For systems on High Sierra that use the macOS High Sierra with Apple File System (APFS) file system, see Solution 2 and 3 below.
  9. Deploy MNE from ePolicy Orchestrator. To turn on FileVault, enforce the policy, and restart the Mac.
  10. When prompted, type the Active Directory user password to turn on FileVault.
Changes in macOS High Sierra around mobile accounts and FileVault require extra steps to be taken to activate and manage FileVault 
The extra steps are needed when the system uses the macOS APFS. See the Apple support document for more details: https://support.apple.com/en-ie/HT208171
 
NOTE: Make sure that you have completed steps 1–8 of the previous procedure before following these steps.
  1. Open ApplicationsSystem PreferencesSecurity & Privacy.
  2. Click the lock and type the administrator's user credentials.
  3. Click Enable Users.
  4. Select the users and click Enable User to enable the selected users as FileVault users.

解決策

On macOS 10.13.0 - 10.13.3 using APFS:

Active Directory (AD) user to log on and create a mobile account:
  1. On the Mac, open Applications System Preferences, Users & Groups.
  2. Select Login Options and click the lock. Now make changes and type the administrator's user credentials.
  3. Click Edit next to registered Network Account Server, and then click Open Directory Utility.
  4. Click the lock. Now make changes and type the administrator's user credentials.
  5. To open the Advanced Options, select and double-click Active Directory under Name.
  6. In the User Experience section under Advanced Options, enable Create mobile account at login, and then click OK to save your changes.
  7. Quit the Directory Utility application and System Preferences.
  8. Log off and log back into OS X with the Active Directory user credentials.

After an AD user has logged on and created a mobile account:
  1. Log on with a local admin account that owns the Secure Token (usually the first provisioned local user).
  2. On the terminal type, the following command:
     
    sudo sysadminctl interactive -secureTokenOn <AdUser> -password –

  3. Type the local admin credentials when prompted with the dialog sysadminctl needs to unlock your disk.
  4. When prompted in the terminal with Enter password for <AdUser>, type the AD password for this user.
  5. Log on again with the AD user account.
  6. To turn on FileVault, deploy MNE from ePolicy Orchestrator, enforce the policy, and restart the Mac.
  7. When prompted, type the Active Directory user password to turn on FileVault.

解決策

On macOS 10.13.4 and later using APFS:

Scenario 1
  1. When the AD user first logs on, the dialog box below displays:
    Enter a SecureToken administrator’s name and password to allow this mobile account to log in at startup time.
     
  2. Type the admin credentials for the owner of the Secure Token
  3. To turn on FileVaultDeploy MNE from ePolicy Orchestrator, enforce the policy and restart the Mac.
  4. When prompted, type the Active Directory user password to turn on FileVault.
Scenario 2
Take the following steps only if steps 2 and 3 above have been followed before you assign the secure token, which results in MNE failing to activate:
  1. Log on with a local administrator account and restart the system and when prompted by FileVault.
  2. To complete the FileVault activation, type the admin password.
  3. Log on with an administrator account again and go to System Preferences, Security & Privacy, FileVault.
  4. Click the padlock and enter the credentials.
  5. Click Enable Users next to the warning “Some users are not able to unlock the disk.”
  6. Click Enable User for each Active Directory user and enter the Active Directory user’s password.
  7. To add the user to the preboot log on terminal:
    • For HFS systems type: sudo fdesetup sync
    • For APFS systems type: diskutil apfs updatepreboot <diskid>

      NOTE: Where the <diskid> is the identifier of the system volume
       
  8. To allow the Active Directory user to log on, reboot the system.

このドキュメントを評価する

Beta Translate with

Select a desired language below to translate this page.

技術用語集


 用語集にある用語をハイライトする

当社の技術用語集を参照してください。