usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Rule - os_filevault_user_account - Change needed for Apple silicon #285

New Issue
Closed
opened 2026-01-19 18:29:56 +00:00 by michael · 1 comment
michael commented 2026-01-19 18:29:56 +00:00
Owner
Copy Link

Originally created by @erefneb on GitHub.

Summary

Rule - os_filevault_user_account.yaml - Create a new user account that will be used to unlock the disk on startup.
Apple Silicon systems do not like: sudo dscl . append /Users/<FileVault_User> AuthenticationAuthority DisabledUser
Once you use DisableUser on M1 that user can no longer unlock FV.

Change the user shell to “/usr/bin/false”
This will work for Intel and Apple silicon.

Steps to reproduce

(How one can reproduce the issue - this is very important)

Operating System version

macOS 11.4 (20F71)

What is the current bug behavior?

Once you use DisableUser on M1 that user can no longer unlock FV.

What is the expected correct behavior?

User should be disabled for login, but should still be able to unlock FileVault.

Possible fixes

Change the user shell to “/usr/bin/false”
This will work for Intel and Apple silicon.

Updated check: # sudo dscl . -read /Users/<FileVault_User> UserShell | grep "/usr/bin/false"

Updated Fix: # sudo dscl . -create /Users/<FileVault_User> UserShell “/usr/bin/false”

Originally created by @erefneb on GitHub. ### Summary Rule - os_filevault_user_account.yaml - Create a new user account that will be used to unlock the disk on startup. Apple Silicon systems do not like: sudo dscl . append /Users/<FileVault_User> AuthenticationAuthority DisabledUser Once you use DisableUser on M1 that user can no longer unlock FV. Change the user shell to “/usr/bin/false” This will work for Intel and Apple silicon. ### Steps to reproduce (How one can reproduce the issue - this is very important) ### Operating System version macOS 11.4 (20F71) ### What is the current *bug* behavior? Once you use DisableUser on M1 that user can no longer unlock FV. ### What is the expected *correct* behavior? User should be disabled for login, but should still be able to unlock FileVault. ### Possible fixes Change the user shell to “/usr/bin/false” This will work for Intel and Apple silicon. Updated check: `# sudo dscl . -read /Users/<FileVault_User> UserShell | grep "/usr/bin/false"` Updated Fix: `# sudo dscl . -create /Users/<FileVault_User> UserShell “/usr/bin/false”`
michael commented 2026-01-19 18:29:56 +00:00
Author
Owner
Copy Link

@golbiga commented on GitHub:

This rule was removed from and replaced with os_filevault_authorized_users in main.

@golbiga commented on GitHub: This rule was removed from and replaced with `os_filevault_authorized_users` in `main`.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#285
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?