2 Replies
      Latest reply on Jun 11, 2015 6:06 PM by cashxx
      rtrouton Level 1 Level 1 (0 points)


        What does opendirectoryd's FDESupport module do?




        That's the module which is responsible for taking password updates from opendirectoryd and updating the FV 2 pre-boot login password. It's a helper utility.





        Does fdesetup sync also help sync passwords from a directory service?




        No, it does not sync passwords. (Same message from both Security and Enterprise labs.)





        Is there a way to run a deferred enablement, which also allows the enablement of a second account. For the purposes of the question, assume that the second account's password has been provided.


        Use cases that may apply:


        A. An enterprise that wants deferred enablement for the primary user of the machine, but also wants to enable the local admin account for FV 2.





        Please file enhancement requests. (Same message from both Security and Enterprise labs.)







        When using fdesetup enable -inputplist the password is clear text in the plist. Can this be changed so that the password can be hashed? A colleague of mine has an open bug report for this: BugID: 14023881





        Please file enhancement requests.


        Part of the issue is that plists were not originally intended to be stored on disk; instead the authentication information was meant to be piped straight into fdesetup and not expose the password. Secure password storage in a plist, where the password information is still readable by fdesetup, is a challenge.



        Is it possible to make Server.app run through the setup process from the command line?




        Not currently. Please file enhancement requests for this if you want it, as we want to know how many of our customers want this.






        Why can't Server.app currently run through the setup process from the command line?





        The license must be agreed to and that currently only works through the Server.app GUI.

        • Re: Notes from Thursday Education and Enterprise Development Lab
          eng Level 1 Level 1 (0 points)

          Managed Distribution

            Does Managed Distribution Device Assignment support in-app purchases?

            iAP not supported with MDM device assignment in iOS 9. Apple is aware of the desire for this feature and are discussion the best approach.


          Apple Configurator 2

            An admin can export a company profile and import to as many machines as needed.

            Single sToken - cannot use institutiontal sToken with a seperatel location sToken for application deployment.

            The ideal method for Managed Distribution Device Assignemnt will be utilizing AC 2 as a mechanism to auto-enroll into an MDM.

            App thinning is not supported with Apple Configurator.


          iOS 9

            How will iOS handle storage constraints for iOS updates?

              Currently, the iOS update command will fail the device will not be able to silently update.

              Similarly to non-silent updates, 50% battery is required for installation.


              A future update to iOS (not iOS 9) may do the following:

                Delete tagged App thinning Application data

                Delete Managed Applications -> Update iOS -> Push Managed Applications


              If these options sound beneficial, please file an enhancement.


          Caching Server

            Asked to submit enhancements for the following features:

            -Pre cache iOS updates or invoke a command to cache iOS updates at time of release

            -Automatically purge content or delete content that hasn't been requested after a set time.

            -Create an array of applications to specifically Cache once new versions are released



            Asked to submit enhancements for the following feature:

            - MDM Setup Assistant - Optionally bind to Active Directory and skip the local standard account creation.


            MDM Setup Assistant - What is the security for HSA (hidden service account) creation?

            Answer: Mobileconfiguration file passed down during Setup Assistant. Signed configuration profile passed down through MDM.



            For orgnizations that have multiple purchasing IDs, please contact apple for help. It is possible to "umbrella" an orgnization to use MDM with DEP.


            Any possibility that Screen Sharing could be set to require curtain and not be able to take over a console session?

              There are no current plans to add this functionality into OS X.


            There are security concerns with regard to iCloud Password resets on Active Directory bound machines. A user could potentially reset a mobile user and gain local access.

              Please submit a radar concerning this request.


            Are there any plans to block OS X major updates from the App Store? It would be great to prevent our users from upgrading day 1? OS X Yosemite was a perfect example due to the loginlockout issue.

              We have discussed this, please file a radar.


            OS X virtualization on non-OS X hardware?

              When **** freezes over.



            OS X applications that require hardware acceleration are now working in VMware Fusion Professional.