Educause Security Discussion mailing list archives
Re: Mac Encryption
From: Houston C Griffith <griffithhc () VCU EDU>
Date: Tue, 23 Feb 2021 15:32:03 -0500
We're using Jamf as well with FileVault handling automated key escrow. However, while that is very straightforward on administrative/assigned devices where the relationship between a client device and an end-user is always 1:1, I'm more curious how others are handling Mac loaner laptops used by employees and/or students where the relationship is 1:many. The best we've been able to come up with so far is setting up the temporary account to force the end-user to change their password on first login. This ensures a unique password for the non-admin user account on every device that only the end-user of that device knows for the duration of their device checkout and it's fairly simple to implement. This works initially but when we get the laptop back we have to wipe/reinstall which is tedious. We're exploring Nomad AD Login as an option but I'm not sure even that will work for what we need. My point is that short of a workable internet-accessible directory service (LDAP, AD or others) and equivalent login mechanism on client devices, disk encryption with FileVault seems like a complete non-starter for Mac loaner laptops. To be fair, the Windows side honestly isn't much better and we still face largely the same issue, although I suppose Azure AD could greatly simplify that if implemented with the right options. On Tue, Feb 23, 2021 at 3:28 PM Rich Graves <rcgraves () gmail com> wrote:
JAMF, McAfee ePO, and Sophos can all automate key recovery. For a while we were doing manual key escrow by storing the “printout” of the emergency recovery key centrally, but obviously that is error prone. I can’t imagine using any actual encryption software other than FileVault in this day and age. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
-- Thank you, Houston Griffith Senior Manager // Labs and Classrooms Computing Virginia Commonwealth University 804-827-5173 https://go.vcu.edu/lcc ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Mac Encryption Jackson, Ms. D'Ann (Feb 23)
- Re: Mac Encryption Curt Kappenman (Feb 23)
- Re: Mac Encryption Shannon Ortiz (Feb 23)
- Re: Mac Encryption Seth Rogers (Feb 23)
- Re: Mac Encryption Rich Graves (Feb 23)
- Re: Mac Encryption Houston C Griffith (Feb 23)
- Re: Mac Encryption Seth Rogers (Feb 23)
- Re: Mac Encryption Pelegrin, Jeremy J (Feb 23)
- Re: [EXTERNAL] [SECURITY] Mac Encryption Thomas, Chuck (Feb 23)
- Re: Mac Encryption Francisco Chavez (Feb 23)
- Re: Mac Encryption Taube, Dan (Feb 24)
- <Possible follow-ups>
- Re: Mac Encryption Perez, Roberto (Feb 25)