Enforcing FileVault on local accounts

FileVaultNew in Leopard is the ability to protect an account with FileVault as it is being created. When creating a mobile account, you can check the box to use FileVault, and this setting is easy to enforce with Workgroup Manager’s preference management as part of the Mobility settings.

If you use the Accounts preference pane to create a local account, you’ll see a new checkbox labeled “Turn on FileVault protection”, but it’s unchecked by default. What if your organization wants to ensure that all accounts — even purely local accounts — on laptops are protected with FileVault? With Workgroup Manager’s preference management, there does not seem to be a way to manage this setting in the Accounts preference pane. But you can manage it if you dig a little deeper…

You’ll need to use the “Details” view in the Preferences editor in WGM to directly manage specific preferences. Choose a Computer or ComputerGroup to manage, click the Preferences icon in the toolbar, then select the Details pane. Click the “+” button to add a new preference domain. Navigate to /Applications and double-click on the System Preferences app.

You should now have the com.apple.systempreferences domain available to you, and it should look like this:

com.apple.systempreferences

Double-click the entry for com.apple.systempreferences, and delete all the imported keys – we don’t want any of them. Turn down the “Always” dictionary, and add a new key like this:

forceFVforNewUsers key

Save your changes.

If you want to look at this via the command line:

dscl mcxread /ComputerGroups/my_managed_laptops com.apple.systempreferences
Key: com.apple.preferences.accounts.forceFVForNewUsers
State: always
Value: 1

On the managed machine(s), log out and back in, and go to the Accounts preferences pane and try to create a new account. It should look like this:

New account dialog with FileVault

Hooray! FileVault is selected by default, and it can’t be unselected. Problem solved.

Note that by default, “Use secure virtual memory” is unchecked. If you want that on by default, you’ll need to manage com.apple.virtualMemory UseEncryptedSwap. The technique is similar. Via the command line, it looks like:

dscl mcxread /ComputerGroups/my_managed_laptops com.apple.virtualMemory
Key: UseEncryptedSwap
State: always
Value: 1

For some reason, even when it’s set to be managed always, the checkbox can still be deselected by the user. Grrr.

Enforcing FileVault on local accounts

7 thoughts on “Enforcing FileVault on local accounts

  1. MrWinter says:

    Hey Greg,
    as you’re a knowledgeable chap… do you know if there is any way to turn on Filevault protection on an account when creating it at the command line using the dscl commands floating about the net at the moment?
    I’m writing a script to add a new user account which queries our ldap db for the users correct UID and GID and uses those but I can’t figure out how to create a filevaulted account at the same time.
    Is it possible?

    Many thanks,

    MrW.

  2. MrWinter:

    I’m sure it could be done. You’d have to use hdiutil (man hdiutil) to create an encrypted sparsebundle diskimage, which you’d then put in /Users/username (creating that directory if needed), then create the account using dscl. The last trick is creating the HomeDirectory attribute, which will look something like:

    dscl . -create /Users/user HomeDirectory 'file://localhost/Users/user/user.sparsebundle'

  3. Jeff says:

    Anyway to turn on the filevault for everyone from the dscl? And is it possible to activate filevault for existing users from the command line too? Thanks

  4. No. You can’t automatically turn on FileVault for existing accounts. Even if the tools supported this, you’d need the user’s password. It would be nice to be able to set something that said “on the next login (or logout) turn on FIleVault for [this user|all users]”, but nothing like this exists.

    What I’ve done is write a script that looks at all the local accounts and emails me when there’s one that doesn’t have FileVault turned on. But since I started using MCX to enforce FileVault for all new local and mobile accounts, this has become quite rare.

  5. MrWinter says:

    Agreed, MCX is the way to go .
    I never managed to get home directories I’d made with my dscl script to work quite properly so gave up.

    Greg, I’d be interested in seeing your check script if you were willing to share…🙂

Comments are closed.