Educause Security Discussion mailing list archives

Re: Mac Encryption

From: Houston C Griffith <griffithhc () VCU EDU>
Date: Tue, 23 Feb 2021 15:32:03 -0500

We're using Jamf as well with FileVault handling automated key escrow.
However, while that is very straightforward on administrative/assigned
devices where the relationship between a client device and an end-user is
always 1:1, I'm more curious how others are handling Mac loaner laptops
used by employees and/or students where the relationship is 1:many.

The best we've been able to come up with so far is setting up the temporary
account to force the end-user to change their password on first login. This
ensures a unique password for the non-admin user account on every device
that only the end-user of that device knows for the duration of their
device checkout and it's fairly simple to implement. This works initially
but when we get the laptop back we have to wipe/reinstall which is tedious.
We're exploring Nomad AD Login as an option but I'm not sure even that will
work for what we need.

My point is that short of a workable internet-accessible directory service
(LDAP, AD or others) and equivalent login mechanism on client devices, disk
encryption with FileVault seems like a complete non-starter for Mac loaner
laptops. To be fair, the Windows side honestly isn't much better and we
still face largely the same issue, although I suppose Azure AD could
greatly simplify that if implemented with the right options.

On Tue, Feb 23, 2021 at 3:28 PM Rich Graves <rcgraves () gmail com> wrote:

JAMF, McAfee ePO, and Sophos can all automate key recovery. For a while we
were doing manual key escrow by storing the “printout” of the emergency
recovery key centrally, but obviously that is error prone.

I can’t imagine using any actual encryption software other than FileVault
in this day and age.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community



-- 
Thank you,

Houston Griffith
Senior Manager // Labs and Classrooms Computing
Virginia Commonwealth University
804-827-5173
https://go.vcu.edu/lcc

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

Mac Encryption Jackson, Ms. D'Ann (Feb 23)
- Re: Mac Encryption Curt Kappenman (Feb 23)
- Re: Mac Encryption Shannon Ortiz (Feb 23)
  - Re: Mac Encryption Seth Rogers (Feb 23)
    - Re: Mac Encryption Rich Graves (Feb 23)
    - Re: Mac Encryption Houston C Griffith (Feb 23)
- Re: Mac Encryption Pelegrin, Jeremy J (Feb 23)
- Re: [EXTERNAL] [SECURITY] Mac Encryption Thomas, Chuck (Feb 23)
- Re: Mac Encryption Francisco Chavez (Feb 23)
- Re: Mac Encryption Taube, Dan (Feb 24)
- <Possible follow-ups>
- Re: Mac Encryption Perez, Roberto (Feb 25)