Secure account with insecure root?

I see a variety of ways to secure Mac login via authorization plugin, USB dongle, smart card or mobile phone apps over ble. Before I dig into details, I am wondering is it possible to apply one of these methods to a specific account, while the main admin/root account remains less secure? Or, could someone always login to the main admin account and disable whatever configuration has been set for the secured account?

Accepted Reply

I assume that means "yes" but only if the account is under control of an LDAP server?

Ah, I see what you’re getting at here. I was answering based purely on technology, but you’re concerned about overall system security.

If you’re worried about the security of the system as a whole, you must secure any admin accounts. Someone with control over the admin account can do a whole range of weird and wonderful things that could compromise security, even if the account itself is remote.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

Before I dig into details, I am wondering is it possible to apply one of these methods to a specific account, while the main admin/root account remains less secure?

Yes. Login authorisation is configured on a per-account basis based on the

kODAttributeTypeAuthenticationAuthority
attribute in the user’s OD record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks, I assume that means "yes" but only if the account is under control of an LDAP server? If there is no remote server, then the host admin account could always reconfigure authorization settings for any other account?


And, if there is a remote server, but it becomes permanently unavailable, then the host owner could delete any assets associated with the account, but could not access the contents?

I assume that means "yes" but only if the account is under control of an LDAP server?

Ah, I see what you’re getting at here. I was answering based purely on technology, but you’re concerned about overall system security.

If you’re worried about the security of the system as a whole, you must secure any admin accounts. Someone with control over the admin account can do a whole range of weird and wonderful things that could compromise security, even if the account itself is remote.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"