0 Replies
      Latest reply on Jun 10, 2015 10:54 AM by rtrouton
      rtrouton Level 1 Level 1 (0 points)

        FileVault 2 and fdesetup

         

         

         

        Question:

         

        When changing account passwords outside of the login window or System Preferences, it does not appear that the FileVault 2 pre-boot login screen gets updated with the new password information.

         

        Is there a way to force the OS to update the pre-boot login screen with the new password info?

         

        Use cases that may apply:

         

        A. Using the passwd command (running as root) to update the account password

        B. Dropping updated plist files into /var/db/dslocal/nodes/Default/users

         

         

        Answer:

         

        After password change, may need to remove and add user with fdesetup. This will flush the old password's derived key and set up a derived key for the new password.

         

        File bug reports for use cases A and B above. The response for use case B may be "That's horrifying. Don't do that."

         

         

        Remove:

        fdesetup remove -user username_goes_here
        
        
        
        

         

        Re-add:

        fdesetup add -usertoadd username_goes_here
        
        
        
        

         

         

         

         

        Question:


        Does the FV 2 password change update process work when an AD DC is accessible via WiFi and not via Ethernet? Ran into a case where the OS password properly updated, but the change was not being fed back to pre-boot login. Worked when Mac plugged into Ethernet.

         

        Answer:

         

        File a bug report with the specifics. If possible, also open an AppleCare Enterprise ticket and reference the bug report as that will get more troubleshooting resources focused on it.

         

         

         

         

         

         

        Question:


        What does opendirectoryd's FDESupport module do?

         

         

         

        Answer:

         

        Good question, need to talk to the directory service engineers. Bring that to the Enterprise lab on Thursday and/or Friday.

         

         

        Question:

         

         

        Does fdesetup sync also help sync passwords from a directory service?

         

         

        Answer:

         

        No, it does not sync passwords. Double-check with the directory service folks in the Enterprise lab on Thursday and/or Friday.

         

         

         

        Question:

         

        Is there a way to run a deferred enablement, which also allows the enablement of a second account. For the purposes of the question, assume that the second account's password has been provided.

         

        Use cases that may apply:

         

        A. An enterprise that wants deferred enablement for the primary user of the machine, but also wants to enable the local admin account for FV 2.

         

         

        Answer:

         

        Bring that to the Enterprise lab on Thursday and/or Friday. Also, file enhancement request.

         

         

         

         

        Question:

         

        When using fdesetup enable -inputplist the password is clear text in the plist. Can this be changed so that the password can be hashed? A colleague of mine has an open bug report for this: BugID: 14023881

         

        Answer:

         

        Please bring that to the Enterprise lab on Thursday and/or Friday.

         

         

         

         

         

         

        System Integrity Protection

         

        Question:

         

        Does the new System Integrity Protection on the Recovery partition have a command line tool for enabling and disabling it, similar to the command line tools available for EFI passwords and FV 2 recovery?

         

        Answer:

        No, there is no command line tool currently available. File an enhancement request.

         

         

         

         

        Question:

         

        How is System Integrity Protection protecting files and processes?

         

        Answer:

         

        Based on flags set on the filesystem and kernel-level restrictions.

         

         

         

         

        Question:

         

        Which directories and files is System Integrity Protection protecting? Is there a way to get a listing from the command line?

         

         

        Answer:

         

        /System/Library/Sandbox/rootless.conf is the SIP conf file, but changes to this conf file are not immediately picked up by SIP. /System/Library/Sandbox/rootless.conf itself is protected by SIP.

         

         

        ls's -O flag (capital O) should show restricted files

         

        ls -laO lists files and shows restrictions

         

         

         

         

        Question:

         

        How does System Integrity Protection's disabling function work?

         

        Answer:

         

        Implementation detail that Apple didn't want to go into. It may also be subject to change between the current Developer Beta and the current release.

         

         

        Question:

         

        Is it possible to add custom inclusions and exclusions to System Integrity Protection?

         

         

        Answer:

         

        /System/Library/Sandbox/rootless.conf is Apple's, it should not altered by third-parties.

         

        Asterix-marked ( * ) listings in /System/Library/Sandbox/rootless.conf will indicate exclusions to the protection.

         

         

        Question:

         

        How is the management config for System Integrity Protection updated?

         

        Answer:

         

        Updates to /System/Library/Sandbox/rootless.conf will likely be coming through Software Update

         

         

        Question:

         

        It was mentioned in the Security and Your Apps session that one of the ways to change SIP-protected files was via Installer. What needs to be done for an installer package to successfully deploy a change to a SIP-protected file?

         

        Use case in this instance: Replacing /System/Library/CoreServices/DefaultDesktop.jpg with a custom .jpg file.

         

         

        Answer:

         

        Apple, Inc. needs to sign the installer certificate. Developer ID: Installer-signed packages will not be able to alter SIP-protected files or directories.

         

        File a bug report about excluding /System/Library/CoreServices/DefaultDesktop.jpg from SIP.