Archive
FileVault 2 deferred enablement in Yosemite
One of the requirements when enabling an account for FileVault 2 is that the account’s own password must be provided in order for the account to be enabled. This is because the account’s password is used to generate a unique derived key via PBKDF2. This key is necessary for the account to unlock FileVault 2’s encryption, so the account’s password must be provided in order to enable an account.
Apple recognized that there would be situations where Mac admins would need to set up FileVault 2 for a person where the admin would not have the password for that person’s user account. To avoid the immediate need to enter a password, fdesetup has a -defer flag in Mountain Lion, Mavericks and Yosemite that can be used with fdesetup‘s enable verb to delay enabling FileVault 2 until after the current (or next) user logs out. With the -defer flag, the user will be prompted for their password at their next logout or restart. The recovery key information is not generated until the user password is obtained, so the -defer option requires a file location where this information will be written to as a plist file.
The property list file will be created as a root-only readable file and contain information similar to what’s show below.
Note: For security reasons, the plist file with the recovery key information should not stay on the encrypted system. Please copy it to a safe location and then securely delete this plist file from the encrypted system.
Run the following command with root privileges to defer enabling FileVault 2 and specify the account you want:
fdesetup enable -user username -defer /path/to/filename.plist
If there is no user account specified with the -user option, then the current logged-in user will be enabled for FileVault 2. If there is no user specified and no users are logged in when the command is run, then the next user that logs in will be chosen and enabled.
If you don’t want to specify the account, run the following command with root privileges:
fdesetup enable -defer /path/to/filename.plist
On logout, the user will be prompted to enter their account password.
Once entered, FileVault 2 will be enabled and the recovery information plist file will be created. Once the enabling process is complete, the Mac will restart.
An important thing to keep in mind about the –defer option is that it enables one single user account at the time of turning on FileVault 2 encryption. The –defer option does not enable multiple user accounts and cannot be used to enable accounts once FileVault 2 encryption has been turned on.
In Yosemite, Apple added new options for fdesetup‘s -defer flag. These new options now allow Mac admins to set a deferred enablement with the following options:
- Enforce FileVault 2 enablement at logout
- Enforce FileVault 2 enablement at login
- Enforce FileVault 2 enablement at both login and logout
For more information, see below the jump.
Downloading and deploying Adobe Flash Player 16.0.0.296
Over the weekend of January 24th, Adobe released Adobe Flash Player 16.0.0.296 to fix a critical vulnerability. This update was available for installation via the Flash auto-update, but there was nothing available for a manual download. This lack of a separate download meant that Mac admins didn’t have a way to get an installer for distribution to the Macs in their environments.
Adobe has stated that a manual download will be available during the week of January 26, but for the moment, it appears that the auto-update mechanism is the only way Adobe is distributing this update.
Fortunately, thanks to research by Greg Neagle and Per Olofsson, there appears to be a way to leverage AutoPkg to generate the needed installer package. See below the jump for details.
Update 1-26-2015: A 16.0.0.296 installer is now available on the Adobe Flash Player Distribution site (not linked because you gain access to the site after getting a valid Adobe Flash Player Distribution License Agreement in place.)
Update 2 – 1-26-2015: The AutoPkg download recipe for Adobe Flash has been updated to now download and decode the install_all_mac_pl_sgn.z file from Adobe’s Flash Player update feed for Macs. If you’re using AutoPkg, update your repos and you should get the changes. For more information on the actual recipe changes, see here.
Yosemite’s FileVault 2 pre-boot recovery options
One of the changes that Apple has introduced with Yosemite is a more straightforward way to recover from login problems at the FileVault 2 pre-boot login screen.
When a FileVault 2-encrypted Mac sits for more than a minute with an account selected at the FileVault 2 pre-boot login screen, a message like the one below should appear:
If you’re having a problem entering your password, press and hold the power button on your Mac to shut it down. Then press it again to start it up in the Recovery OS.
If the instructions are followed, the Mac will boot from the Mac’s recovery partition on the next startup and go into a Reset Password wizard.
In the Reset Password wizard, there are currently three options available.
- I forgot my password
- My password doesn’t work when logging in
- My keyboard isn’t working when typing my password to login
Each option will do different things, so let’s take a look at each. For more details, see below the jump.
Oracle’s Java 8 and Mac OS X 10.7.x
With Oracle’s Java 8, there’s been some confusion as to whether Java 8 runs on Mac OS X 10.7.5. This issue was lent additional urgency in the wake of Oracle’s announcement that they will begin auto-updating Java 7 users to Java 8 starting in January 2015.
The root of the confusion lies in the fact that Oracle has listed two different sets of system requirements on their website for Macs running Java 8 on Mac OS X.
The first set is available via Oracle’s general Java system requirements page. This page states that Java 8 requires the following:
- Intel-based Mac running Mac OS X 10.8.3+, 10.9+
- Administrator privileges for installation
- 64-bit browser
The second set is available via the Java download page for Mac OS X. The system requirements linked from the download page state that Oracle’s Java requires the following:
- Intel-based Mac running Mac OS X 10.7.3 (Lion) or later.
- Administrator privileges for installation
- 64-bit browser
In short, the question of Java 8 support for 10.7.x depended on which system requirement page was correct. For more details, see below the jump.
Der Flounder 
Recent Comments