7.9 FileVault and Local Account Password Reset using AppleID

Information

Apple has provided services for several years that allowed a user to reset a local account password on a computer using their Apple ID and a service to store the FileVault Master Password with Apple that would be controlled by access to an Apple ID. These distinct services have been more cleanly integrated starting in 10.12.

This integrated service for password and decryption is a concern in Enterprise environments. Normal Enterprise management controls mitigate the risk of external control of organizational systems. The user of the system already has the ability to unlock the disk in order to log in and use it and some form of password recovery function is likely already in place for any approved accounts. In addition:

You cannot reset anything but a local account

You need physical access to the computer on a network that can phone home to Apple

Enterprise FileVault management precludes the use of Apple's personal encryption recovery tied to a User's Apple ID

The current login keychain will have to be discarded unless the user remembers the old password

This service allows for organizational computer users to utilize AppleIDs for encryption key escrow and user account management. The use of Apple's services rather than Enterprise services may be considered inappropriate.

https://support.apple.com/en-us/HT204837

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

See Also

https://workbench.cisecurity.org/files/3013

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, CSCv7|16

Plugin: Unix

Control ID: a7fed045c6e8c36930d2f073a75286212026018106e09a3b6fffbc297c4bc29f