Loading...

How to add an Active Directory user to FileVault
Artigos técnicos ID:   KB79648
Última modificação:  3/14/2018
Classificação:


Ambiente

McAfee Management of Native Encryption (MNE) 4.x, 3.x

For details of MNE supported environments, see KB79375.

Problema

When MNE is deployed, you need to add Active Directory users to FileVault. By default, FileVault adds the currently logged on local user on the OS X system as a FileVault-enabled user. But, Active Directory users on Mac OS X will not be added as FileVault users if the Active Directory user home folder or mobile account is not available on the system.

Solução

Follow these steps to add the Active Directory user as a FileVault user:
  1. On the Mac, open ApplicationsSystem PreferencesUsers & Groups.
  2. Select Login Options, and then click the lock to make changes and type the administrator's user credentials.
  3. Click Edit next to registered Network Account Server, and then click Open Directory Utility.
  4. Click the lock to make changes and type the administrator's user credentials.
  5. Select and double-click Active Directory under Name to open the Advanced Options.
  6. In the User Experience section under Advanced Options, enable Create mobile account at login, then click OK to save your changes.
  7. Quit the Directory Utility application and System Preferences.
  8. Log off and log back into OS X with the Active Directory user credentials.
    NOTE: For systems on High Sierra that use the APFS file system, see Solution 2 and 3 below.
  9. Deploy MNE from ePolicy Orchestrator, enforce the policy to turn on FileVault, and restart the Mac.
  10. When prompted, type the Active Directory user password to turn on FileVault.
Because of changes in macOS High Sierra around mobile accounts and FileVault, extra steps must be taken to allow MNE to activate and manage FileVault. The extra steps are needed when the system is using the macOS High Sierra with Apple File System (APFS). See the Apple support document for more details: https://support.apple.com/en-ie/HT208171
 
NOTE: Ensure that you have completed steps 1–8 of the previous procedure before following these steps.
  1. Open ApplicationsSystem PreferencesSecurity & Privacy.
  2. Click the lock and type the administrator's user credentials.
  3. Click Enable Users.
  4. Select the users and click Enable User to enable the selected users as FileVault users.

Solução

On macOS 10.13.0 - 10.13.3 using APFS:

Active Directory (AD) user to log on and create a mobile account:
  1. On the Mac, open Applications System Preferences, Users & Groups.
  2. Select Login Options and click the lock to make changes and type the administrator's user credentials.
  3. Click Edit next to registered Network Account Server, and then click Open Directory Utility.
  4. Click the lock to make changes and type the administrator's user credentials.
  5. Select and double-click Active Directory under Name to open the Advanced Options.
  6. In the User Experience section under Advanced Options, enable Create mobile account at login, and then click OK to save your changes.
  7. Quit the Directory Utility application and System Preferences.
  8. Log off and log back into OS X with the Active Directory user credentials.

After an AD user has logged on and created a mobile account:
  1. Log on with a local admin account that owns the Secure Token (usually the first provisioned local user).
  2. On the terminal type, the following command:
     
    sudo sysadminctl interactive -secureTokenOn <AdUser> -password –

  3. Type the local admin credentials when prompted with the dialog sysadminctl needs to unlock your disk.
  4. When prompted in the terminal with Enter password for <AdUser> :, type the AD password for this user.
  5. Log on again with the AD user account.
  6. Deploy MNE from ePolicy Orchestrator, enforce the policy to turn on FileVault, and restart the Mac.
  7. When prompted, type the Active Directory user password to turn on FileVault.

Solução

On macOS 10.13.4 and later using APFS:

Scenario 1
  1. When the AD user first logs on, the dialog box below displays. Type the admin credentials for the owner of the Secure Token:
    Enter a SecureToken administrator’s name and password to allow this mobile account to log in at startup time.
  2. Deploy MNE from ePolicy Orchestrator, enforce the policy to turn on FileVault, and restart the Mac.
  3. When prompted, type the Active Directory user password to turn on FileVault.
Scenario 2
Take the following steps only if steps 2 and 3 above have been followed before assigning the secure token resulting in MNE failing to activate:
  1. Log on with a local administrator account and restart the system and when prompted by FileVault.
  2. Type the admin password to complete the FileVault activation.
  3. Log on with an administrator account again and go to System Preferences, Security & Privacy, FileVault.
  4. Click the padlock and enter the credentials.
  5. Click Enable Users next to the warning “Some users are not able to unlock the disk.”
  6. Click Enable User for each Active Directory user and enter the Active Directory user’s password.
  7. To add the user to the preboot log in terminal:
    • For HFS systems type: sudo fdesetup sync
    • For APFS systems type: diskutil apfs updatepreboot <diskid>

      NOTE: Where the <diskid> is the identifier of the system volume
       
  8. Reboot the system to allow the Active Directory user to log in.

Classificar este documento

Beta Translate with

Select a desired language below to translate this page.

Glossário de termos técnicos


 Realçar termos do glossário

Reserve alguns momentos para navegar por nosso Glossário de termos técnicos.