I’ve seen a few online questions about how to prevent users from turning off FileVault 2.
The first line of defense, of course, is to not give admin rights to those users. As of Mavericks, however, there is an additional tool — you can use a configuration profile to prevent turning off FileVault (or at least disable the controls in the Security and Privacy preference pane — very clever users with admin rights might still able to turn it off using Disk Utility or the command-line diskutil tool).
Here is a configuration profile that disables the “Turn off FileVault” button in the FileVault tab of the Security and Privacy preference pane.
Since admin users can also remove configuration profiles, you should probably also lock this profile, requiring a password to remove it. That’s an exercise left for the reader, but here’s a starting point…
Add something like this to the PayloadContent array:
<dict> <key>PayloadDescription</key> <string>Configures Configuration Profile security</string> <key>PayloadDisplayName</key> <string>Profile Security</string> <key>PayloadIdentifier</key> <string>0dc319a0-c331-0131-eeb5-000c294ab81b.alacarte.ProfileSecurity</string> <key>PayloadType</key> <string>com.apple.profileRemovalPassword</string> <key>PayloadUUID</key> <string>65a90a90-c331-0131-eeb9-000c294ab81b</string> <key>PayloadVersion</key> <integer>1</integer> <key>RemovalPassword</key> <string>PrOf1leReM0v@lPa$$w0rdG0esHere</string> </dict>
2 thoughts on “Preventing users from disabling FileVault 2”
How do you create a configuration profile? Sorry, i am a mac newbie. Thanks
There’s one linked in the main article:
Configuration profiles are essentially text files.
Sounds like you have a lot of research and learning to do. Lots of information and resources available on configuration profiles and OS X preference management…
Comments are closed.