This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Disk Encryption for Macs - Directly to server not in AD Does this matter.

Hi.

So our Mac Users we are basically not usng AD for them.  So they appear in the Safeguard Tree directly under the safeguard server and not in the AD Section.  They are just authenticating to the Macs using a password that we've set for them that matched their LDAP Password. They appear in safeguard and we have an admin account that we enable on each of them and also add to encryption so there is always at least a second user on each Mac that we can use to get in, in case they delete or corrupt their profile.

Does this Matter? Are there are any big reasons why we shouldn't do this? 

Cheers



This thread was automatically locked due to age.
Parents
  • Just to confirm, we do backup our Safeguard VM so can restore this easily to the previous evenings version if there are any issues. So we can restore the Server and not loose all the keys.

  • This is fine Steph.

     

    I would personally create a group for the Macs - either in AD or locally on the SSG server. This way it'll be neater and aid management, but it'll work as you've done it.

     

    Personally I have bound our Macs to AD but NOT as a user - just as a computer object. This means they still log onto their Mac with their own personalised username/password and NOT their AD creds. There's no real impact to the user but does make it look neater for management.

    Don't forget that if you added the secondary admin account BEFORE you encrypted the machine, that Admin account may not be able to "unlock" the machine. See Security & Privacy for "Some users are not able to unlock the disk" and then add the users with enable users. Worth double checking so you don't get locked out of your Macs without the ability to decrypt/unlock the drives

Reply
  • This is fine Steph.

     

    I would personally create a group for the Macs - either in AD or locally on the SSG server. This way it'll be neater and aid management, but it'll work as you've done it.

     

    Personally I have bound our Macs to AD but NOT as a user - just as a computer object. This means they still log onto their Mac with their own personalised username/password and NOT their AD creds. There's no real impact to the user but does make it look neater for management.

    Don't forget that if you added the secondary admin account BEFORE you encrypted the machine, that Admin account may not be able to "unlock" the machine. See Security & Privacy for "Some users are not able to unlock the disk" and then add the users with enable users. Worth double checking so you don't get locked out of your Macs without the ability to decrypt/unlock the drives

Children
No Data