Administrator Guide

ManualsBrandsDell ManualsConverged InfrastructureEndpoint Security Suite Enterprise

Modify Policy to Add FileVault Users

FileVault secures the data on a disk by automatically encrypting it. In a managed FileVault boot volume, to allow multiple users to

unlock the disk, you can modify a policy in the Management Console and use your dictionary of OpenDirectory record names and

values to then allow users to add themselves to the FileVault disk.

1. In the Management Console's advanced Mac Global Settings policies, scroll to the FileVault 2 PBA User List policy.

2. In the FileVault 2 PBA User List policy field, enter a rule that matches the users you plan to specify. For example, matching

<string>*</string> for any key should match all users that the bound OpenDirectory server has.

Tags are case sensitive, and the entire value must be properly formed as dictionary and array elements in a property list.

Dictionary keys are AND'd together. Array values are or'd together so matching any element in an array matches for the

entire array.

NOTE:

If a rule is improperly formed, an error displays in the Dell Encryption Enterprise > Preferences tab.

The following <dict> lists examples for two keys:

<dict>

<key>dsAttrTypeStandard:AuthenticationAuthority</key>

<array>

<string>;Kerberosv5;;user1@LKDC:*</string>

<string>;Kerberosv5;;user2@LKDC:*</string>

<string>;Kerberosv5;;user3@LKDC:*</string>

<string>;Kerberosv5;;z*@LKDC:*</string>

</array>

<key>dsAttrTypeStandard:NFSHomeDirectory</key>

<string>/Users/*</string>

</dict>

● The sample AuthenticationAuthority key entries specify a pattern of user1, user2, and user3 or any user id that begins

with z. To view the dialog that provides the correct syntax for each user, press the Control-Option-Command keys on

the client. Copy the syntax for the user, and paste it to the Management Console.

NOTE:

For this example, trailing asterisks represent the latter part of the authentication authority records. Typically, to

avoid under-specifying, include the complete record instead of a trailing asterisk because the asterisk matches any

information after the colon in the OpenDirectory record.

● The NFSHomeDirectory key requires that any user passing the first key must also have a home directory in /Users/.

NOTE:

You must create the home folder if one does not exist for a user.

3. Reboot the computers.

4. Notify users to enable FileVault booting for their user account. The user must have a local or mobile account. Network

accounts are automatically converted to mobile accounts.

For a user to enable their FileVault account:

1. Launch System Preferences, and click Dell Encryption Enterprise.

2. Click the System Volumes tab.

3. Control-click the System Volume drive, and select Add FileVault users to FileVault Booting.

4. In Search, enter a user's name or scroll down. User accounts display only if they meet the criteria set by policy.

For local and mobile users, an Enable User button displays.

For network users, a Convert & enable user button displays.

NOTE:

A green indicator displays next to user accounts that can boot FileVault.

5. Click Enable User or Convert & enable user.

6. Enter the password for the selected account and click OK. A progress indicator displays.

7. After a success dialog, click Done.

Tasks for the Encryption Client