Re: [Fed-Talk] FileVault 2.0 + CAC card
Re: [Fed-Talk] FileVault 2.0 + CAC card
- Subject: Re: [Fed-Talk] FileVault 2.0 + CAC card
- From: Jim Thomas <email@hidden>
- Date: Wed, 12 Sep 2012 09:48:14 -0500
Though it does not happen often, I am willing to admit that I am a
fallible human being, and can be wrong from time to time.
I was wrong.
My initial statements were based on half experience, half anecdotal
information, so I had to set up a test environment with a 10.8 Mac
to confirm or deny the capability. Though you can add a Mobile
Account in the FV2 Pref Pane, it is only capable of taking a
password for the user in order to add it in the first place. Once
added, as Mr. Geddis alluded, the boot login dialog can also only
work with password, and doesn't allow for two-factor at all.
The section to which he referred:
----------------------------------------
At this very early stage of the boot phase, none of the OS-reliant
services are able to load because they’re dependent on the OS
running. This means that alternative authentication mechanisms other
than password-based authentication aren’t supported at this time.
Any support for additional two-factor authentication mechanisms,
such as smart cards or one-time passwords (OTP), requires further
development of those services in the highly restricted space and
execution of EFI. If an organization needs to use smart cards for
authenticating and unlocking access to encrypted storage, use of
container-based Legacy FileVault should be examined more closely.
More information about Legacy FileVault and its support for smart
cards can be found by searching http://www.apple.com/support.
----------------------------------------
At this point, it sounds like a limitation of the EFI, but one that
Apple is fully aware of.
That said, I do know that a Mobile Account with a password can
indeed be set to unlock the disk, as I have tested that myself on my
own machine.
I apologize for any confusion caused by an incomplete test on my
part, but hope that it is fully understandable now.
---Jim
On 9/11/12 10:05 AM, Shawn Geddis
wrote:
"Reading is Fundamental" ...
Section: "Two-Factor Authentication" pg 39...
Subject: [Fed-Talk]
[Posted] Best Practices for Deploying FileVault 2
Date: August 29, 2012
1:15:12 PM EDT
Fed-Talk Community,
Those of you that have been asking for a
whitepaper on Deploying and Understanding FileVault 2 can now
grab a fresh copy of the 1.0 version from the Apple Training
and Certification website for OS X and OS X Server.
Training OS X: http://training.apple.com/osx
Best
Practices for Deploying FileVault 2
- Shawn
________________________________________
Shawn Geddis
Security Consulting Engineer
Apple Enterprise Division
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
|
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden