This repository has been archived by the owner on Sep 16, 2021. It is now read-only.
Cauliflowervest using deprecated mechanism on Macs - loginhook? #13
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I have just had a quick read of the Wiki and as far as I can see the Mac client for CauliflowerVest to enforce FileVault encryption and to escrow the recovery key to the CauliflowerVest server still uses a loginhook as the means for executing upon a user login.
For several years now Apple have been actively discouraging the use of loginhooks (and logouthooks). It is the case that the main alternative of a loginagent that is run via launchd is not able to run with the needed root privilege level to execute fdesetup. However in more recent times Apple has provide a new mechanism that could be used instead which is a native authorization plugin. See https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html
It is my understanding that Crypt an alternative FileVault2 escrow solution does now use such a native authorization plugin to manage FileVault encryption and escrow.
I would therefore suggest that CauliflowerVest be updated to include such an approach for the client instead.
The text was updated successfully, but these errors were encountered: