How to enable FileVault 2 using Centrify Group Policies

The ability to tap into OS X’s FileVault 2 feature was introduced back in Centrify Suite 2013.2 (Agent version 5.1.1).

It’s a very cool function and allows AD users to have Apple’s in-built disk encryption system activate automatically after they have logged into their AD account on the Mac at least once.

However, since FileVault itself does have several pre-requisites and conditions to be met – it can be a tad tricky to ensure that the Mac meets all the requirements before the Centrify agent can get in there and start pulling the levers and and twisting the knobs to get the FileVault gears turning.

In the months since this feature was released, we’ve gotten a pretty good idea at the most common hurdles that people have been running into when trying to set this up. Hopefully this article will provide a handy guide with which to provide the smoothest rollout.

Notes:

  • Centrify Group Policies for Mac are available in Centrify User Suite only. The information in this article does not apply to Centrify Express for Mac.
  • The steps shown below uses the more user-friendly GUI way for setting up the FileVault GPs. For more technical look at what is happening behind the scenes, see pg66 of the Centrify Admin Guide for Mac.
  • Two-factor authentication (such as smartcards) cannot be used for unlocking FileVault (See pg39 http://training.apple.com/pdf/WP_FileVault2.pdf). However after the disk is unlocked by an authorised user – two-factor authentication can still be used at the regular OS X login screen.
    -OS X 10.8 Mountain Lion will log whomever unlocked FileVault straight into their Desktop session.
    -OS X 10.9 Mavericks introduced the option to disable this behaviour and have users see the regular login screen immediately after unlocking (See: http://support.apple.com/kb/HT5989)

Step 1: Getting the Mac ready

Ok, first things first – make sure the Mac meets the preliminary checklist for FileVault-enablement-by-GP:

  • The Mac must be on OS X 10.8 or higher and have OS X Recovery installed on the drive.
  • The Local Hostname must match the AD-Joined name.
    (Look in System Preferences > Centrify to verify this. If they don’t, then either check out this previous article for how to fix it, or paid-licensed customers can look up KB-2929 via the Centrify Support Portal)
  • On OS X 10.8, FileVault must NOT be currently enabled.
    On OS X 10.9, if FileVault is currently activated with a personal recovery key – the institutional key (shown below) can also be added alongside using the steps shown in KB-4197)
  • For FileVault to recognise the AD user who will be doing the unlocking, they must first be converted into a Mobile Accounton the Mac.We can configure this to happen automatically when the AD user first logs into the Mac – the method of doing so will depend on the environment that the Mac is in.Setting up Mobile Accounts via GP is a whole separate article in itself – so for now I’ll just point to the appropriate KBs for paid-licensed users to look up in the Support Portal. If the AD users have a network home folder, then use either one of these KBs:
    • KB-2896: How to set up Mobile Accounts via Group Policy in Auto Zone mode.
    • KB-2897: How to set up Mobile Accounts via Group Policy in Zone Mode.

    If the AD users will only use local home folder, then use this KB which converts the users to Mobile using a Configuration Profile:

    • KB-3064: How to convert a Network Account without a network home directory into a Mobile Account

Step 2: Generating the FileVault Master Key

Our first Mac will be our “template Mac” from which we can generate the FileVault key that will be pushed out to all subsequent Mac systems under this GP – this is the institutional FileVault key:

  1.  Log into the Mac as Local Admin and go to System Preferences > Users & Groups
  2. Click on the little cog icon at the bottom of the user list and select “Set Master Password…”
  3. Once the Master Password has been set, open Finder > Go > “Go to Folder…” and enter the path:/Library/Keychains/
  4. In the Keychains folder, double-click on the “FileVaultMaster.keychain” and it will open up in Keychain Access.
    Right-click on the “FileVault Recovery Key” certificate and select “Export ‘FileVault Recovery Key…'”.
    Note: Make sure to copy out the FileVaultMaster.keychain file to a safe external place as well – in the event that a user is the sole authorised-FileVault unlocker on a Mac… and they forget their FileVault password – this file will be the only other method for unlocking the disk for access. See: http://support.apple.com/kb/ht5077
  5. Save the file in Certificate (.cer) format and this is what we’ll be inserting into our GP.

Step 3: Getting the AD side ready

  1. Open ADUC and navigate to the Mac computer object:
    Right-click > Properties > “Managed By” tab > “Change…” button > Select the same AD user that was converted to Mobile earlier on the Mac.
  2. Open the target GPO and enable the GP at:
    Computer Configuration / Centrify Settings / Mac OS X Settings / Security & Privacy / “Enable FileVault 2”
  3. Insert the certificate file that we just exported from the Mac Keychain, save the GPO and we’re good to go. (At this point you can either wait for the next GP refresh cycle, or go to the Mac and run adgpupdate to have it pull down the latest GPs immediately)

Step 4: Activating FileVault

  1. Log into the Mac as the target AD user.
    (Look in System Preferences > Users & Groups and make sure they have “Mobile” listed under their name)
  2. Log out of the Mac…

Tips and Additional Notes:

  • There is currently an issue where if the AD user’s name in ADUC is stored as “Lastname, Firstname”, then it doesn’t get detected properly and the FileVault activation won’t start.
    This will be fixed soon – but in the meantime, the workaround is to make sure the AD user’s name is stored as “Firstname Lastname”.
  • To check if a “Managed By” user has been specified from the Mac side, run at the Terminal:
  • adquery user –attribute managedBy computer_name
  • (Replace “computer_name” with the actual computer name as seen in AD)
  • (adquery user… also works with computer objects)
  • Once FileVault has been activated, additional (Local or Mobile) users can be added into the authorised FileVault unlocker list by going to the System Preferences > Security & Privacy > FileVault options like normal.