It doesn't stop them from using Terminal to turn it off (if they are admins), but nothing's perfect. This grays out the "Turn Off FileVault" button in Security & Privacy > FileVault. A link to a full profile example was posted by Greg Neagle on one of the threads I believe. If you search around here on JN you'll find some posts on it. Second is, look into applying a Config Profile that prevents disabling FileVault from the GUI. So it puts some peace of mind there for you for that. If done right, the local fdesetup policy applied will pick up the key and redirect it to the JSS for escrow instead of it not being escrowed and presented on screen to the user. One is Recovery key redirection in the JSS, which helps in those cases where someone decides they want to set up FileVault manually. Are they even using any type of directory service based accounts to log in with, or are they local accounts?Īs for FileVault, I suggest looking into two things to go along with it No firmware pass, no FV2, running an unauthorized and probably unprotected copy of Windows in BootCamp. Sounds like right now these Macs are a security nightmare for you. I would go ahead with the plan to get FileVault enabled for them, as that will add some level of security. If one of them has a boot issue that would necessitate booting to Recovery HD to run a fix, you're in a pickle. That would be ideal, and we actually put in an official request with Apple to look into that, but that was years ago and I don't think they will ever do it. FileVault encryption does prevent that for the most part, which we also use, but the combo of both in place means the machines are well protected, so for now at least, it remains.Īs an aside, its unfortunate that Apple hasn't developed a special firmware "mode" where Recovery HD and maybe Safe mode could be used without needing a password, but still prevent removal of the fw password or booting from an external disk unless you knew the firmware password in the first place. The problem is that without one in place, it allows someone with enough Mac technical skill to boot the machine from another volume and try to gain access to data stored on the HD among other things. We're required to have them on all our Macs since they are 99% laptops and our security office is adamant about it, but it does hamper things for those remote workers who run into problems. As mentioned above, it does put a snag in things because it means users can't self resolve issues by booting to Recovery HD and running a disk repair for example. This method of installing Windows on a Mac is free, but once the OS is up and running, it will ask you to buy a license. Installing Windows 10 using the Boot Camp Assistant works for Macs with Intel processors. If they are alone with no local support, then I can completely understand the concern with putting a fw password on them. The next step in getting Overwatch 2 running on a Mac using Boot Camp is to use the software to install Windows. Let me ask you, is there any IT staff out at the location where these Macs are used, or are these users essentially on their own? If its the former, you could give local IT staff the firmware password in the event of any boot issues, with clear instructions to never give it to a user.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |