APPL-11-000032 - The macOS system must be configured with dedicated user accounts to decrypt the hard disk upon startup - UserShell


When 'FileVault' and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login.


Note: In previous versions of macOS, this setting was implemented differently. Systems that used the previous method should prepare the system for the new method by creating a new unlock user, verifying its ability to unlock FileVault after reboot, then deleting the old FileVault unlock user.

Disable the login ability of the newly created user account:
$ sudo /usr/bin/dscl . change /Users/<FileVault_User> UserShell </path/to/current/shell> /usr/bin/false

Remove all FileVault login access from each user account defined on the system that is not a designated FileVault user:
$ sudo fdesetup remove -user <username>

See Also

Item Details


References: 800-53|AC-2(11), CAT|II, CCI|CCI-002143, Rule-ID|SV-230762r802378_rule, STIG-ID|APPL-11-000032, Vuln-ID|V-230762

Plugin: Unix

Control ID: a1576a92f97e6938c0512f14ff44d52530c5b661a2d550b11e5db96f45f62ce6