InformationApple has provided services for several years that allowed a user to reset a local account password on a computer using their Apple ID and a service to store the FileVault Master Password with Apple that would be controlled by access to an Apple ID. These distinct services have been more cleanly integrated starting in 10.12.
This integrated service for password and decryption is a concern in enterprise environments. Normal enterprise management controls mitigate the risk of external control of organizational systems. The user of the system already has the ability to unlock the disk in order to log in and use it and some form of password recovery function is likely already in place for any approved accounts. In addition:
You cannot reset anything but a local account
You need physical access to the computer on a network that can phone home to Apple
Enterprise FileVault management precludes the use of Apple's personal encryption recovery tied to a User's Apple ID
The current login keychain will have to be discarded unless the user remembers the old password
This service allows for organizational computer users to utilize AppleIDs for encryption key escrow and user account management. The use of Apple's services rather than enterprise services may be considered inappropriate.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.