Home > Bash scripting, Casper, FileVault 2 > Hiding an FileVault 2-enabled admin user with Casper

Hiding an FileVault 2-enabled admin user with Casper

As mentioned in a prior post, it’s beneficial for Mac admins in a number of Mac environments to hide the IT administrator account so that it can’t be deleted or altered by other users on those Macs. One way you can hide the account is to create it using a UID that’s lower than 500.

However, when encrypting Macs with FileVault 2, an account needs to have a UID higher than 500 to be enabled to unlock the FileVault 2 encrypted drive. Unfortunately, that means that the account is now “visible” to the users that the Mac admin wants to hide it from.

Thanks to work by Allen Golbig, it looks like there’s an answer to this problem for Casper users. See below the jump for the procedure.

First, create the user account that you want to (eventually) add as an hidden admin user. For this example, we’ll set up a user called fv2test by running the following command:

sudo jamf createAccount -username “fv2test” -realname “FV2Test” -password “password” -home “/private/var/fv2test” -admin


This will create a fv2test user account with a UID higher than 500, but whose home folder is stored in /private/var.

Screen Shot 2012-02-22 at 1.52.53 PM

Screen Shot 2012-02-22 at 1.53.02 PM

Next, we’ll need to encrypt the Mac and enable the fv2test user.

Screen Shot 2012-02-22 at 1.55.38 PM

On the Casper server side, we’ll need to set up a smart group to detect that the Mac has been encrypted. If you’re running Casper 8.31 or higher, you can use Casper’s built-in inventory option for FileVault 2 encryption.

Screen Shot 2011-10-23 at 11.18.30 AM

Screen Shot 2011-10-23 at 11.19.16 AM

Alternatively, you can use the Extension Attribute that I’ve written and made available here.

Once the smart group has been set up, set up a script that checks for the “visible” admin user account and gives it a sub-500 UID:

—–

#!/bin/sh

adminID=`dscl . -read /Users/fv2test UniqueID | awk '{print $2}'`

if [ $adminID -gt "500" ];then
dscl . -change /Users/fv2test UniqueID $adminID 101
chown -R fv2test /var/fv2test
defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES
else
echo "UniqueID is below 500"
fi


—–

Next, set up a policy that’s run on machines entering the encrypted Mac smart group.

Screen Shot 2012-02-22 at 2.18.13 PM

Screen Shot 2012-02-22 at 2.18.19 PM

Screen Shot 2012-02-22 at 2.18.24 PM

Once it’s all together, your FV 2-enabled user will be hidden automatically by your Casper server when it checks in.

Screen Shot 2012-02-22 at 2.32.37 PM

Screen Shot 2012-02-22 at 2.33.29 PM

Your user is now hidden in the OS, but it will still show up at the FileVault 2 pre-boot login screen.

Screen Shot 2012-02-22 at 1.56.53 PM

Screen Shot 2012-02-22 at 1.57.05 PM

  1. Clif H
    September 28, 2012 at 1:45 pm | #1

    Rich, do you know of any way to hide FV users from the pre-boot screen? Assuming no as no way for just user/pass fields but figured if anyone knew it would be you.

    • September 28, 2012 at 1:47 pm | #2

      No, there is currently no way to hide an FileVault 2-enabled account’s icon from being displayed at the FileVault 2 pre-boot login screen.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 126 other followers

%d bloggers like this: