Script to manage Secure Tokens on macOS 10.14.2+

Just a quick post before heading into the weekend, and leaving Secure Tokens far behind me for a couple of days. I just want to share this attempt to make a script to manage Secure Tokens prior to enabling FileVault.

The idea is to make sure that you have an Administrator Account with a Secure Token in case you want to be able to manipulate the tokens/FileVault later. This is especially important in case you are limiting the end user to creating a non-admin/standard account or using managed mobile accounts at automated enrolment.

Continue reading “Script to manage Secure Tokens on macOS 10.14.2+”

Mojave 10.14.2 and Secure Tokens, it works!

macOS 10.14.2 brings a welcome change to our Secure Token saga!

Well, kind off. Not everything but there are some welcome changes!

!!! ALREADY AN UPDATE to what I wrote here -  see comments !!!
Update 2: 9/12/18 - promote the non-admin Secure Token holder. see comments !!!

When I wrote my previous post on Secure Tokens, I mainly focused on enabling FileVault with Configuration Profiles on 10.14.1. The main issue was that if no account on the mac had a Secure Token, the profile would fail to enable FileVault. This due to the fact the first account logging into the Mac has to be a LOCAL Administrator.

This, amongst many other FileVault related issues, caused some concerns for many Mac Sys Admins. Additional bugs on 10.14.1 seemed to make the mayhem complete, leaving many of us in a state wondering if something was expected behaviour, or “a feature”… In all fairness, there were moments where I thought I finally understood how Secure Tokens work, and other moments where I just lost all hope…

Hence my intensive search for a recommended workflow to avoid as much of the issues as possible. I ended up testing almost every scenario with different types of accounts, on both 10.14.1 and 10.14.2.

I had to wait until 10.14.2 came out of beta, but now that 10.14.2 is released, let’s see what this early Filevault Santa bring us!

Continue reading “Mojave 10.14.2 and Secure Tokens, it works!”

A secure journey with tokens

About managing FileVault and Secure Tokens on macOS Mojave 10.14.1

Update 06/12/18: After reading this, have a look at my new post regarding Mojave 10.14.2

macOS Mojave and Secure Tokens…? If you have been managing Macs since High Sierra and Mojave came around, you must have heard about “Secure Tokens” before 🙂

Most likely you have already hit your head multiple times against the wall while trying to fix your FileVault workflows. Well, to be honest, join the club as I still find the whole Secure Token story very confusing. Depending the deployment and environment, the journey through managing FileVault and Secure Tokens might be straight forward and hassle free, or a big nightmare inducing experience.

I’ve been reading so many articles and tech blogs about the matter and each time I tell myself  “Yes, now I completely know how it works”… followed by some hands on in different scenario’s proving me otherwise again!

Amongst the articles I’ve been reading, as well as advice I got from certain people, there are sources I would never, not in a 100 years, dare to question. Nevertheless, I’ve seen Secure Tokens behave in a very confusing  and inconsistent ways. At least that’s how I experienced it, because there might be things I’ve been overlooking or maybe the fact that “Apple just changed things in the last update”…

Continue reading “A secure journey with tokens”

Get that “free lunch” with ‘Let’s Encrypt’

When deploying a server into production, you’ll most likely need to secure it with a SSL certificate, but even when installing some test servers, adding some encryption is always a good idea as well.

Depending the purpose of the server, and the environment it will be running in, a self-signed certificate may or may not be sufficient. But even if it is sufficient for the intended use of the server (only for internal services or resources for instance), having a nicely signed and trusted certificate makes everything a lot easier, even on a test server. At least it’s a good practice to avoid having your users develop a bad habit of trusting servers with self-signed certificates in general.

Continue reading “Get that “free lunch” with ‘Let’s Encrypt’”