How FileVault2 protection is enabled by Centrify

Centrify relies on two features to enable FileVault 2 protection:

  • The "Managed By" user setting, which specifies an Active Directory user who can manage and unlock an encrypted disk.

    You specify the “Managed By” user in Active Directory Users and Computers on the domain controller. The "Managed By" user is associated with the Mac computer object, so it is possible for each computer to have its own "Managed By" user.

  • The FileVault recovery key, which can be either one “institutional” key that is applied to multiple Mac computers, or computer-specific keys which are generated individually for each Mac computer.

    • If you choose to use one institutional key, you first create a FileVaultMaster certificate, which is applied to Mac computers through the Enable FileVault 2 group policy.

      When you enable the Enable FileVault 2 group policy, the FileVaultMaster certificate is applied to Mac computers automatically at the next scheduled group policy update interval. Or, you can apply the FileVaultMaster certificate immediately by executing the adgpupdate command.

    • If you choose to use computer-specific keys that are unique to each Mac computer, you do not create a FileVaultMaster certificate.

      Instead, the key is generated automatically when the “Managed By” user logs into the Mac computer for the first time and then logs out. The key, which is the “Managed By” user’s personal key, is then stored in the computer’s computer object in Active Directory.

Note:   Enabling the Enable FileVault 2 group policy does not enable FileVault 2 protection on the Mac computers to which the group policy is applied. Instead, FileVault 2 protection is enabled on Mac computers as described in the remainder of this section.

The following list describes the overall process that results in FileVault 2 protection being enabled on a Mac computer.

  1. The “Managed By” user is set in ADUC for one or more Mac computers.
  2. The Enable FileVault 2 group policy is enabled.

    • If you select the Use Institutional Recovery Key option in the group policy, the FileVaultMaster certificate is applied to Mac computers. In this situation, all of the Mac computers to which the group policy was applied use the same key.

    • If you did not select the Use Institutional Recovery Key option in the group policy, a recovery key is not generated until the “Managed By” user logs into a Mac computer.

  3. A user logs into a Mac computer. If FileVault 2 protection is not already enabled on the computer, the user’s Active Directory credentials are checked to verify that the user is the “Managed By” user. For this step to complete successfully, one of the following conditions must exist:

    • The Mac computer must be able to communicate with the domain controller (that is, it must be in connected mode), or

    • If the Mac computer is disconnected from the domain controller, locally cached AD user credentials must be available in the Centrify cache.

  4. When the user is verified to be the “Managed By” user, one of the following actions takes place:

    • If you selected the Use Institutional Recovery Key option in the Enable FileVault 2 group policy, the FileVaultMaster certificate data is used to enable FileVault 2 protection on the computer.

    • If you did not select the Use Institutional Recovery Key option in the Enable FileVault 2 group policy, a personal recovery key is created for the computer and stored in the computer object in Active Directory. The personal recovery key is used to enable FileVault2 protection on the computer.