Enabling hidden admin accounts with Cauliflower Vest
One interesting facet of Cauliflower Vest enabling users from the command-line is that any user on the system can be enabled. This includes hidden admin users with a UID that’s lower than 500, which can’t be enabled through the FileVault preference pane. After some testing, I found that enabling hidden admin accounts is pretty straightforward for those who can use Casper and Cauliflower Vest. See below the jump for the details.
To test this, I set up a hidden admin account via JAMF’s Casper agent using the following command:
sudo /usr/sbin/jamf createAccount -username “fv2test” -realname “FV2 Test” -password “password123” -home /private/var/fv2test –shell “/bin/bash” -hiddenUser -admin
I then installed Cauliflower Vest using my existing secretplant.com setup and encrypted using the fv2test account.
Cauliflower Vest successfully enabled and reported that the passphrase had been successfully escrowed. I was then prompted to restart.
On restart, I was at the FileVault 2 pre-boot login screen with the account icon for my hidden fv2test user account showing. I authenticated and the regular FileVault 2 login process continued.
On login, I verified that my account was set up as specified, with the fv2test account set up with a sub-500 UID and the account’s home located in /var/fv2test.
I went next to http://secret-plant.appspot.com to get my Mac’s recovery key, to see if that also worked normally. After authenticating, I was taken to a listing for my encrypted Mac and clicked on the Volume UUID link to get my recovery key.
Once I had my recovery key, I was able to test it out successfully by using it to unlock the encryption and then reset the fv2test account’s password.
This ability, for those who can leverage Casper and Cauliflower Vest’s capabilities, gives Mac admins some additional flexibility in how they set up and encrypt Macs with FileVault 2. Since both the user creation and the encryption enabling were done from the command-line, it’s possible to script this into your deployment workflow and have your Macs both enable hidden admin users and encrypt themselves automatically using that user’s pre-set credentials.