After reading Allister Banks’s great post on standalone use of Cauliflower Vest’s csfde command-line tool, I wanted to see if it was possible to use csfde with Apple’s FileVaultMaster.keychain recovery key to encrypt a Mac. Good news, it is possible and appears to be scriptable. See below the jump for the details.
One interesting facet of Cauliflower Vest enabling users from the command-line is that any user on the system can be enabled. This includes hidden admin users with a UID that’s lower than 500, which can’t be enabled through the FileVault preference pane. After some testing, I found that enabling hidden admin accounts is pretty straightforward for those who can use Casper and Cauliflower Vest. See below the jump for the details.
Google’s Cauliflower Vest, an open-source FileVault 2 recovery key escrow solution, solves a number of problems for Mac admins in the enterprise space. These problems included:
A. Allowing individual recovery keys to be automatically generated and escrowed for each Mac
B. The ability to have FileVault 2 encryption force-enabled on a Mac
C. Providing secure access to recovery keys and delegating secure access as needed to those recovery keys
Cauliflower Vest addresses those issues, along with providing csfde, a command-line tool for FileVault 2 setups which can be used independently of the rest of Cauliflower Vest infrastructure.
I wanted to see how easy it was to stand up a Cauliflower Vest instance with a Google Apps domain while following the instructions. I figured that I was a good tester for this because:
- I’d never set up a Google Apps domain
- I’d never before worked with Google App Engine
- Python and I have a “we should really get together, but never do” relationship.
In short, hopefully the Cauliflower Vest project folks had posted good directions or this train was going to wreck pretty fast.
Fortunately, the Cauliflower Vest project folks have posted good directions on the project’s wiki and were also extremely responsive over email. With their help, I was able to get up and going. See below the jump for what I did.
Google’s rolled out Cauliflower Vest, an open-source FileVault 2 recovery key escrow solution, that allows enterprise management of FileVault 2 encryption to go much further than was previously possible. It leverages the strengths of Apple’s non-enterprise recovery key system while bringing in additional features that most enterprise-focused environments are looking for.
At the moment, I’m going to start poking and prodding at this but I wanted to take a moment to recognize the folks whose hard work brought this to the Mac community:
As mentioned in a prior post, it’s beneficial for Mac admins in a number of Mac environments to hide the IT administrator account so that it can’t be deleted or altered by other users on those Macs. One way you can hide the account is to create it using a UID that’s lower than 500.
However, when encrypting Macs with FileVault 2, an account needs to have a UID higher than 500 to be enabled to unlock the FileVault 2 encrypted drive. Unfortunately, that means that the account is now “visible” to the users that the Mac admin wants to hide it from.
Thanks to work by Allen Golbig, it looks like there’s an answer to this problem for Casper users. See below the jump for the procedure.
I’ve updated the FileVault 2 status check scripts so that they’re now supporting 10.8 Developer Preview 1 in addition to 10.7.x. Without going into NDA-violating details, 10.8 has made some changes to what’s reported by the diskutil corestorage list command, which is used by my script to pull details about the current FileVault 2 encryption status. Barring any changes Apple may make in future 10.8 Developer Previews, the scripts should now report correctly on both 10.7.x and 10.8.x.
The changes are now available as part of my regular script. They have also been rolled into both the Casper Extension Attribute and the Absolute Manage Custom Info Item scripts. Use them in good health and please let me know if you find any problems with them.
Like a number of other Mac admins, I’ve started working on Mountain Lion to see a) what of my existing stuff works or breaks and b) what new functionality I need to test and build new solutions for. In the existing stuff category, I noticed that the script that I’ve been using on 10.7 to enable Java applications to work in Safari was no longer working properly on 10.8. I’ve fixed this issue and the script now works correctly on both 10.7 and 10.8.
The updated script is posted up on my GitHub repo at the following address: