You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Sep 16, 2021. It is now read-only.
I have just had a quick read of the Wiki and as far as I can see the Mac client for CauliflowerVest to enforce FileVault encryption and to escrow the recovery key to the CauliflowerVest server still uses a loginhook as the means for executing upon a user login.
For several years now Apple have been actively discouraging the use of loginhooks (and logouthooks). It is the case that the main alternative of a loginagent that is run via launchd is not able to run with the needed root privilege level to execute fdesetup. However in more recent times Apple has provide a new mechanism that could be used instead which is a native authorization plugin. See https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html
It is my understanding that Crypt an alternative FileVault2 escrow solution does now use such a native authorization plugin to manage FileVault encryption and escrow.
I would therefore suggest that CauliflowerVest be updated to include such an approach for the client instead.
I have just had a quick read of the Wiki and as far as I can see the Mac client for CauliflowerVest to enforce FileVault encryption and to escrow the recovery key to the CauliflowerVest server still uses a loginhook as the means for executing upon a user login.
For several years now Apple have been actively discouraging the use of loginhooks (and logouthooks). It is the case that the main alternative of a loginagent that is run via launchd is not able to run with the needed root privilege level to execute fdesetup. However in more recent times Apple has provide a new mechanism that could be used instead which is a native authorization plugin. See https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html
It is my understanding that Crypt an alternative FileVault2 escrow solution does now use such a native authorization plugin to manage FileVault encryption and escrow.
I would therefore suggest that CauliflowerVest be updated to include such an approach for the client instead.