PezzaD84
commented
1 year ago Hi @JacksonR4All
Sorry for the delayed reply.
Unfortunately there is no way to automate the passing of the secure token to another user, so in this case getting the LAPS account to unlock filevault will be a manual process or use a script which prompts the user to enter the admin password. There is currently no LAPS solution which manages to set the LAPS account as a filevault user and even JAMFs new LAPS solution comes with a disclaimer that the account will not be able to unlock FileVault.
The way around this which is what I suggest to customers is to use a zero-touch workflow. Using products like JAMF Connect to enable SSO at first log in makes the end user the filevault user for that device. This allows the end user to unlock the device but also provides a recovery key which can be escrowed to an MDM platform such as JAMF which admins can use to unlock the disk if ever needed. The LAPS account can still be used to run admin commands and if the user logs off the LAPS account can log in but obviously a reboot would lock the drive again.
Hope that helps a little.
Is there a solution to automate the created user to be authorized as a filevault user, it doesnt create the token for the admin user until it logs in for the first time, so in a situation that the machine is restarted the LAPS admin could not unlock the drive if its never been logged in. For our new machines we can add to the work flow to log into the user for the first time to create the token, but for the machines already been deployed it would be great if there is a way to authenticate the user as a filevault user remotely without touching each machines.
I would use sysadminctl but the LAPS admin is the only local admin so it cannot authenticate itself as a secure user, so I am wondering if there is a solution for this issue.