0
I enabled FileVault and Find My Mac and Guest Account is now disabled (i only see safari only guest mode).
Is there a way to re-enable normal guest account again?
I am on Macbook Pro 10.11.1
Utku Dalmaz
Posted 2015-10-24T01:30:36.277
Reputation: 153
0
You might consider creating your own "Guest" account that is a standard account with Parental Controls turned on. This may give you the options you are looking for.
Dave Nasralla
Posted 2015-10-24T01:30:36.277
Reputation: 1
Could you [edit] your answer to expand on how the OP would do this? – Burgi – 2016-05-01T14:39:21.423
0
There is no way to do this. I have searched high and low for this solution and I've come to the conclusion that it isn't possible due to the way Apple designed it.
Instead of securing the recovery key in a hardware TPM chip as Microsoft's BitLocker does, FileVault stores it in a keychain file on the unencrypted recovery volume. Any FileVault-enabled user account can unlock this keychain and read it. Therefore, it is required that every account have a password in order to protect the recovery key. Apple then uses a "pass the hash" mechanism to log you into the OS (so you don't have to type your password in twice).
Ironically, even though Apple does not use hardware to secure FileVault, OS X WILL save the recovery key in PRAM if the machine goes into hibernation mode. They don't advertise this as a feature, but page 36 of this Apple training guide has instructions for turning it off. Remember that hibernate differs from sleep in that the contents of RAM are saved to the hard disk and the computer is powered off rather than simply going to low power mode. Since the hibernation file is on the encrypted volume, the firmware needs to be able to unlock that volume in order to read it.
The solution you could use (although it isn't very practical) is to just always hibernate your Mac instead of shutting down. You can configure this behavior by opening up a Terminal typing the following command:
sudo pmset -a hibernatemode 25
To use it just log off (instead of shutting down) and then close the lid. The system will power off instead of sleeping, and it will not require a FileVault logon the next time you power it up. The drawback is that if a guest logs on and then reboots or shuts down, they'll need a password to use the computer again.
I have been trying to find a way to permanently store the recovery key in PRAM so it gets used all the time, but so far I haven't had any luck. If anybody knows a way to do that I'm all ears. The firmware on a Mac isn't as secure as the TPM on a PC, but it would accomplish the goal of making it work more like Bitlocker (wherein BitLocker can be configured without a PIN so that the system is totally transparent so long as the hard drive is not removed and the boot order is not tampered with).
Wes Sayeed
Posted 2015-10-24T01:30:36.277
Reputation: 12 024
FileVault + Guest account doesn't really make any sense. The entire point of FileVault is that you can't get in without a valid password, and the guest account doesn't have a password... and hence can't get in. – Gordon Davisson – 2015-10-24T22:25:40.893
I had to disable filevault but I think this is really silly, we should be able to use them together – Utku Dalmaz – 2015-10-24T23:09:59.263
@GordonDavisson; this is not entirely true. BitLocker can be configured exactly this way. As long as the drive is not removed and the boot order isn't changed, BitLocker will let you in with no password at all. The only goal of full-disk encryption is to secure your data against an offline attack. Nothing more. While an encrypted volume is booted, FDE is no longer protecting you. It's relying on the OS's underlying security mechanisms to secure access to the data, which are the same whether the volume is encrypted or not. Unfortunately, FileVault just doesn't have that feature. – Wes Sayeed – 2015-10-26T19:05:24.000
@RULE101, Once you enable FileVault from an account, it hides the other user accounts (even administrator) from the computer at initial login. You can access them after you login using the account used to enable FileVault and then logout of that account – pun – 2015-10-26T19:07:55.263