FileVault 2 and fdesetup
Question:
When changing account passwords outside of the login window or System Preferences, it does not appear that the FileVault 2 pre-boot login screen gets updated with the new password information.
Is there a way to force the OS to update the pre-boot login screen with the new password info?
Use cases that may apply:
A. Using the passwd command (running as root) to update the account password
B. Dropping updated plist files into /var/db/dslocal/nodes/Default/users
Answer:
After password change, may need to remove and add user with fdesetup. This will flush the old password's derived key and set up a derived key for the new password.
File bug reports for use cases A and B above. The response for use case B may be "That's horrifying. Don't do that."
Remove:
fdesetup remove -user username_goes_here
Re-add:
fdesetup add -usertoadd username_goes_here
Question:
Does the FV 2 password change update process work when an AD DC is accessible via WiFi and not via Ethernet? Ran into a case where the OS password properly updated, but the change was not being fed back to pre-boot login. Worked when Mac plugged into Ethernet.
Answer:
File a bug report with the specifics. If possible, also open an AppleCare Enterprise ticket and reference the bug report as that will get more troubleshooting resources focused on it.
Question:
What does opendirectoryd's FDESupport module do?
Answer:
Good question, need to talk to the directory service engineers. Bring that to the Enterprise lab on Thursday and/or Friday.
Question:
Does fdesetup sync also help sync passwords from a directory service?
Answer:
No, it does not sync passwords. Double-check with the directory service folks in the Enterprise lab on Thursday and/or Friday.
Question:
Is there a way to run a deferred enablement, which also allows the enablement of a second account. For the purposes of the question, assume that the second account's password has been provided.
Use cases that may apply:
A. An enterprise that wants deferred enablement for the primary user of the machine, but also wants to enable the local admin account for FV 2.
Answer:
Bring that to the Enterprise lab on Thursday and/or Friday. Also, file enhancement request.
Question:
When using fdesetup enable -inputplist the password is clear text in the plist. Can this be changed so that the password can be hashed? A colleague of mine has an open bug report for this: BugID: 14023881
Answer:
Please bring that to the Enterprise lab on Thursday and/or Friday.
System Integrity Protection
Question:
Does the new System Integrity Protection on the Recovery partition have a command line tool for enabling and disabling it, similar to the command line tools available for EFI passwords and FV 2 recovery?
Answer:
No, there is no command line tool currently available. File an enhancement request.
Question:
How is System Integrity Protection protecting files and processes?
Answer:
Based on flags set on the filesystem and kernel-level restrictions.
Question:
Which directories and files is System Integrity Protection protecting? Is there a way to get a listing from the command line?
Answer:
/System/Library/Sandbox/rootless.conf is the SIP conf file, but changes to this conf file are not immediately picked up by SIP. /System/Library/Sandbox/rootless.conf itself is protected by SIP.
ls's -O flag (capital O) should show restricted files
ls -laO lists files and shows restrictions
Question:
How does System Integrity Protection's disabling function work?
Answer:
Implementation detail that Apple didn't want to go into. It may also be subject to change between the current Developer Beta and the current release.
Question:
Is it possible to add custom inclusions and exclusions to System Integrity Protection?
Answer:
/System/Library/Sandbox/rootless.conf is Apple's, it should not altered by third-parties.
Asterix-marked ( * ) listings in /System/Library/Sandbox/rootless.conf will indicate exclusions to the protection.
Question:
How is the management config for System Integrity Protection updated?
Answer:
Updates to /System/Library/Sandbox/rootless.conf will likely be coming through Software Update
Question:
It was mentioned in the Security and Your Apps session that one of the ways to change SIP-protected files was via Installer. What needs to be done for an installer package to successfully deploy a change to a SIP-protected file?
Use case in this instance: Replacing /System/Library/CoreServices/DefaultDesktop.jpg with a custom .jpg file.
Answer:
Apple, Inc. needs to sign the installer certificate. Developer ID: Installer-signed packages will not be able to alter SIP-protected files or directories.
File a bug report about excluding /System/Library/CoreServices/DefaultDesktop.jpg from SIP.