Home > Casper, Cauliflower Vest, FileVault 2, Mac administration, Mac OS X > Enabling hidden admin accounts with Cauliflower Vest

Enabling hidden admin accounts with Cauliflower Vest

One interesting facet of Cauliflower Vest enabling users from the command-line is that any user on the system can be enabled. This includes hidden admin users with a UID that’s lower than 500, which can’t be enabled through the FileVault preference pane. After some testing, I found that enabling hidden admin accounts is pretty straightforward for those who can use Casper and Cauliflower Vest. See below the jump for the details.

To test this, I set up a hidden admin account via JAMF’s Casper agent using the following command:

sudo /usr/sbin/jamf createAccount -username “fv2test” -realname “FV2 Test” -password “password123” -home /private/var/fv2test –shell “/bin/bash” -hiddenUser -admin

I then installed Cauliflower Vest using my existing secretplant.com setup and encrypted using the fv2test account.

Screen Shot 2012-02-25 at 10.48.44 AM

Cauliflower Vest successfully enabled and reported that the passphrase had been successfully escrowed. I was then prompted to restart.

Screen Shot 2012-02-25 at 10.48.58 AM

Screen Shot 2012-02-25 at 10.49.36 AM

On restart, I was at the FileVault 2 pre-boot login screen with the account icon for my hidden fv2test user account showing. I authenticated and the regular FileVault 2 login process continued.

Screen Shot 2012-02-25 at 10.50.12 AM

On login, I verified that my account was set up as specified, with the fv2test account set up with a sub-500 UID and the account’s home located in /var/fv2test.

Screen Shot 2012-02-25 at 10.51.33 AM Screen Shot 2012-02-25 at 10.54.28 AM

I went next to http://secret-plant.appspot.com to get my Mac’s recovery key, to see if that also worked normally. After authenticating, I was taken to a listing for my encrypted Mac and clicked on the Volume UUID link to get my recovery key.

Screen Shot 2012-02-25 at 11.03.42 AM

Screen Shot 2012-02-25 at 11.03.50 AM

Once I had my recovery key, I was able to test it out successfully by using it to unlock the encryption and then reset the fv2test account’s password.

Screen Shot 2012-02-25 at 11.05.23 AM

Screen Shot 2012-02-25 at 11.05.43 AM

This ability, for those who can leverage Casper and Cauliflower Vest’s capabilities, gives Mac admins some additional flexibility in how they set up and encrypt Macs with FileVault 2. Since both the user creation and the encryption enabling were done from the command-line, it’s possible to script this into your deployment workflow and have your Macs both enable hidden admin users and encrypt themselves automatically using that user’s pre-set credentials.

  1. Abraham
    October 8, 2012 at 7:56 pm

    So how would a user in an Active Directory environment login?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: