Hi,
Is there a way to run a security/authorization plugin for the file vault login? I can edit the system.login.console and insert my plugin, but this doesn't apply to file vault login.
Does Apple support this use case?
cheers,
sivan
Authorization Plugin for File Vault Login
Is there a way to run a security/authorization plugin for the file vault login?
No.
I can edit the system.login.console and insert my plugin, but this doesn't apply to file vault login.
Yep. That’s a known limitation of this technology. This reason is that the FileVault login UI is not run by macOS but instead by a pre-boot environment [1].
Does Apple support this use case?
No.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Historically this was EFI but these days it’s a cut down versions of macOS. And before you get exciting about that, be aware that this version, by design, is read-only.
Many Enterprises are forcing file vault in their computers. Why wouldn't Apple enable the authorization plugins to run also under the vault login process?
This also prevents the integration of password less login solutions for macOS.
A reasonable workaround to this problem may be using a virtual smart card. But a virtual smart card is not working on macOS, but it can be hacked.
So why wouldn't Apple make it easy to go forward with password less login solutions?
cheers, sivan
Why wouldn't Apple enable the authorization plugins to run also under the vault login process?
See tip 3 in Quinn’s Top Ten DevForums Tips.
What I can say here is that:
-
Authorisation plug-ins were created long before FileVault.
-
Technically your issue is with FileVault 2. The original FileVault just encrypted the user’s home directory, which meant that it was compatible with authorisation plug-ins.
-
Authorisation plug-ins don’t get a lot of love in general. They are very much in ‘maintenance mode’.
-
There’s a fundamental tension between security and flexibility here. You want the pre-boot environment to be read only to protect you from password loggers and so on. However, that read-only-ness makes it impossible to support third-party code.
If you’d like to see support for something like this added in the future, I encourage you to file an enhancement request describing your requirements. Please post your bug number, just for the record.
Oh, and I recommend that you couch this in terms of user-level features rather than specific technologies. As I mentioned above, authorisation plug-ins are unlikely to be the path forward here.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Thanks for your reply!
So what is Apple's path for providing end point security by third party companies?
What is the path to increase security and participate in the login, unlock and sudo operations?
cheers
What is the path … ?
Again, remember tip 3. I can’t talk about The Future™.
what [the current situation] for providing end point security by third party companies?
It kinda depends on what you mean by “endpoint security”. You can make a lot of progress with the Endpoint Security API. However, in this specific case, where you want to run code synchronously with respect to login, and possibly display a custom login UI, the only current option is authorisation plug-ins.
Keep in mind that authorisation plug-ins do run during the macOS boot that happens after FileVault has unlocked the drive. If you want to apply additional policies, you can it from there.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"