3 Replies
      Latest reply on Mar 25, 2019 3:43 AM by eskimo
      Tim9909 Level 1 Level 1 (5 points)

        I see a variety of ways to secure Mac login via authorization plugin, USB dongle, smart card or mobile phone apps over ble.  Before I dig into details, I am wondering is it possible to apply one of these methods to a specific account, while the main admin/root account remains less secure?  Or, could someone always login to the main admin account and disable whatever configuration has been set for the secured account?

        • Re: Secure account with insecure root?
          eskimo Apple Staff Apple Staff (12,305 points)

          Before I dig into details, I am wondering is it possible to apply one of these methods to a specific account, while the main admin/root account remains less secure?

          Yes.  Login authorisation is configured on a per-account basis based on the kODAttributeTypeAuthenticationAuthority attribute in the user’s OD record.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Secure account with insecure root?
              Tim9909 Level 1 Level 1 (5 points)

              Thanks, I assume that means "yes" but only if the account is under control of an LDAP server?  If there is no remote server, then the host admin account could always reconfigure authorization settings for any other account?

               

              And, if there is a remote server, but it becomes permanently unavailable, then the host owner could delete any assets associated with the account, but could not access the contents?

                • Re: Secure account with insecure root?
                  eskimo Apple Staff Apple Staff (12,305 points)

                  I assume that means "yes" but only if the account is under control of an LDAP server?

                  Ah, I see what you’re getting at here.  I was answering based purely on technology, but you’re concerned about overall system security.

                  If you’re worried about the security of the system as a whole, you must secure any admin accounts.  Someone with control over the admin account can do a whole range of weird and wonderful things that could compromise security, even if the account itself is remote.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"