The virtues of enabling FileVault 2 to encrypt the contents of your Apple computer’s storage are known to all security professionals. Serving as a means of protecting data from unauthorized access, tampering, or exfiltration, encryption often remains the “last man standing” after a data breach has occurred and can prevent threat actors from using the information stolen by scrambling its contents with strong, not so easy to break algorithms.
But encryption is not a set-it-and-forget-it type of technology–it requires ongoing maintenance to ensure it is doing its job properly. This means that first and foremost, the process is keeping data safe. Second, the data is available to the users authorized to work with it. Third, and just as important as one and two, unauthorized users are not allowed to access the protected data. This doesn’t just apply to threat actors, but also former users that are no longer allowed to mingle with the data–not managing this aspect of the encryption renders the whole point moot.
Unlike other encryption schemes based on Public-Key Infrastructures (PKI), for example, that may centralize their management of users’ access to encrypted drives, FileVault 2 implements encryption on a more one-to-one basis, allowing end users to control access. This is great for environments where a single user will be assigned a device to use. However, in a shared environment and/or one with a large number of mobile devices, the administrative overhead in managing this can quickly grow out of hand.
SEE: Encryption policy (Tech Pro Research)
Luckily, by leveraging the powers of Terminal, IT professionals can make short work of managing FileVault 2 permissions either on the fly or using bash scripts. This includes removing unauthorized users and stale accounts from devices, or enabling new accounts to unlock FileVault 2 at logon.
How to add user accounts to a FileVault 2-enabled accounts list
sudo fdesetup add -usertoadd username
How to remove user accounts from a FileVault 2-enabled accounts list
sudo fdesetup remove -user username
How to remove user accounts by UUID from a FileVault 2-enabled accounts list
sudo fdesetup remove -uuid UUID_that_matches_user_account
Note: Regardless of whether accounts are being added or removed, the command must be run with root permissions. A side note about adding accounts: The user account being added will require the password to be entered for the specified account when prompted to process the command properly.