Wednesday, February 11, 2015

Mac OS X Extras: Using Centrify and AD GPOs to Manage File Vault 2 Disk Encryption


Apple protects data at rest using symmetric encryption (AES-128) for OS X systems. File Vault 2 was introduced in OS X Lion and support for GPO Management with Centrify was released with version 2013.2 (5.1.1).  This post will document the steps to set up FV2 management leveraging Centrify's AD GPOs.

What are you gaining by doing this?
FV2 provides the mechanisms to generate an Institutional key to be distributed to systems.  With Centrify and leveraging GPOs this can be done centrally.  This way you can distribute the certificate and provide a mechanism for recovery in case an user can't decrypt their drive.

More Resources:
Brian does a great job here and John in the Centrify for Mac online CBT.  Thanks to both since I used their materials as research for this post.


Pre-Requisites to use Centrify GPOs with FileVault2
  • The system hostname has to match how the computer was joined to active directory.
    To verify, on a terminal, type the hostname command and compare it with the joined as name in AD (adinfo --name).  Alternatively you can use the adquery user -A computername$ command too.  The command sudo scutil --set HostName your-hostname can update the hostname if needed.
    $ hostname
    $ adinfo --name
    $ adquery user -A mac109$
  • Ideally, the system is configured for Dynamic DNS; DNS is well-maintained or you issue the addns command.
    $ sudo addns -U -m
    Updating host records for on
    Updated host records
    Updating reverse lookup records for on
    Updated reverse lookup record

    $ ping mac109
    PING ( 56 data bytes
    64 bytes from icmp_seq=0 ttl=64 time=0.044 ms
    64 bytes from icmp_seq=1 ttl=64 time=0.067 ms

  • The Mac must have the recovery partition installed - this is required to boot and request the password to decrypt the disk.  You can use the diskutil list command to enumerate partitions.
    $ diskutil list | grep Recovery
    3:    Apple_Boot Recovery HD             650.0 MB   disk0s3
  • Institutional Account - you need a mobile-enabled (see my video on how to do this with GPOs) AD account that can be used as the "Managed by" field in the computer object.
Other things to plan for:
  • Assurance around the handling of the institutional certificate.
  • Lifecycle management of the Certificate (usually good for a year but not checked by OS X)
  • Securing the Institutional Account's password.
  • Computers with File Vault 2 enabled by the end-user  (10.9 has improvements on this)
Implementation and Verification

First, we need to use a Centrified system as the "template" to create the FileVault2 Master Password with in turn will create a Certificate and a Keychain.
  1. Sign-on to the template Centrified system with the Account to be used for Recovery.
  2. Go to System Preferences > Users and Groups and unlock the Padlock
  3. Click on the Gears under Login Options and Select "Set Master Password"
  4. Navigate to /Library/Keychain and you will see two files: 
    • FileVaultMaster.keychain
    • FileVaultMaster.cer
      Double-click the FileVaultMaster.keychain, this will open KeyChain Access.
  5. Right-click the FileVaultMaster Certificate and Select "Export FileVault Recovery Key" and save it as a .cer in a known location.
Note:  Make sure you delete all copies of the keychain, certificate and secure the .cer file after you have used it.

Now we need to setup the "Managed By" attribute in Active Directory for the computer object corresponding to the template system.
  1. Open Active Directory Users and Computers (ADUC)
  2. Navigate to find your MacOS template computer, right click and select properties.
  3. Go to the Managed By tab and click Change.  Select the Recovery account.
  4. Press OK and close ADUC
Next, we need to enable the GPO for File Vault 2.
  1. Open GPMC and navigate to your Mac GPO, right click and select edit.
  2. Navigate to Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security and Privacy  and select "Enable File Vault2" 
  3. Enable the GPO and click select and browse to find the FileVault2 Certificate generated from the Master Key in the first section.

    Note the expiration of the Certificate.  You need to update the master keychain password and get the certificate renewed and the GPO updated in time (or not, given that OS X does not check validity)
Finally, we refresh the group policies and review the effective changes. This way the Centrify agent will distribute the certificate via GPO and set up File Vault 2 for you.
  1. Log on to the Centrified Mac and open Terminal.  Run adgpupdate.  This will refresh the GPOs.
  2. Log out.  This will prompt a synchronization of the mobile configuration.  Attempt login and you'll be prompted for the user's password.  This will enable FileVault2 and you'll go to firmware boot.  The user will be prompted for the password to decrypt FV2 and continue the boot process.
  3. At this point you can verify that FV2 is being enabled by looking at System Preferences > Security and Privacy > File Vault 2.
At this point all we need to do is add additional users that can decrypt the FV2 disk, by using the Enable Users button.  This window will list all users with Mobile Accounts that can be added.  In this case, since this computer will be used by Fred Thomas and Diana Wirth, I enabled their accounts as well as the local admin Centrify SE.  You will need to type in each user's password or the user has to be present to type those credentials.

When users type in their AD password, they can continue to boot and their session is automatically logged in.

From now, all Centrified OS X computers joined to the target will be enabled for FV2 automatically and the AD account will be able to serve as recovery.

Here are some adjustment categories:
  • Differences between OS X versions
  • Automating the Master password/Keychain/Cert using a script
  • Automatically adding mobile users to decrypt drives
  • Helping an AD user with recovery
  • Vaulting and cycling the recovery account
  • Different recovery accounts by business unit using an OU, etc.

No comments:

Post a Comment