The macOS system must be configured with dedicated user accounts to decrypt the hard disk upon startup.

An XCCDF Rule

Description

When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login.

ID: SV-252454r853262_rule
Version: APPL-12-000032
Severity: Medium
References: CCI-002143
Updated: 3 days ago

Remediation Templates

Note: In previous versions of macOS, this setting was implemented differently. Systems that used the previous method should prepare the system for the new method by creating a new unlock user, verifying its ability to unlock FileVault after reboot, then deleting the old FileVault unlock user. 


Disable the login ability of the newly created user account:

$ sudo /usr/bin/dscl . change /Users/<FileVault_User> UserShell </path/to/current/shell> /usr/bin/false
Remove all FileVault login access from each user account defined on the system that is not a designated FileVault user:

$ sudo fdesetup remove -user <username>

The macOS system must be configured with dedicated user accounts to decrypt the hard disk upon startup.

Description

Remediation Templates

A Manual Procedure