Can't disable "reset password with apple ID" backdoor through FileVault 2

SoldOnApple

macrumors regular
Original poster
Jul 20, 2011
105
3
So I decided to enable FileVault 2, but then I found out that anyone who has discovered my Apple ID can just slip right past it with the "Allow user to reset password using Apple ID" option that was selected in the Suer & Groups preferences pane.

So I unencrypt, reset the machine, and go to that pane to untick that option, but as soon as I enable the lock changes thing, or change tab or do anything else, it ticks itself again. I cannot seem to disable this backdoor at all. I've tried searching for how to untick this box but I cannot find a solution.

It is the Admin account, so it's not that. What's the point of FileVault if anyone can access my Mac with my Apple ID, either my seeing my password (which I enter multiple times per day), or just by calling Apple and pretending to be me.

All I want to do is permanently disable that option so I can turn FileVault on again.

I'm running retina MBP 10.8.2
 

SoldOnApple

macrumors regular
Original poster
Jul 20, 2011
105
3
I'm sorry about the rant, I was just frustrated after doing research into FileVault and seeing all the extra steps to keep it secure. It's been pretty concerning hearing about people being able to get your Apple ID just by calling Apple. This is the option I'm referring to, no matter what I do it reticks itself.
 
Last edited by a moderator:

dcorban

macrumors 6502a
Oct 29, 2007
913
28
It may be a conscious design decision to prevent the average user from unwittingly locking themselves out of their computer.
 

Weaselboy

Moderator
Staff member
Jan 23, 2005
30,219
9,919
California
All I want to do is permanently disable that option so I can turn FileVault on again.
Here is mine with FV2 on. I never put an AppleID in that field to begin with (before encrypting) and I wonder if that is your problem. Can you unencrypt then remove the AppleID from there altogether then encrypt again?

 

SoldOnApple

macrumors regular
Original poster
Jul 20, 2011
105
3
The option disappears with FileVault 2 turned on, so once it's on there is no way to check what that option is set to once encryption is already on. The only way to tell is to unencrypt, restart, and then check. But if you didn't have an Apple ID set to begin with, does that mean that option is automatically disabled?

So the solution is to remove my Apple ID, then turn FileVault 2 on, then add the Apple ID again? Is there any way to be sure that the option hasn't automatically been ticked again after I add the Apple ID once FileVault 2 is on (as the ability to see what that option is set to disappears once FileVault 2 is on)?
 

SoldOnApple

macrumors regular
Original poster
Jul 20, 2011
105
3
Oh, the option is toggled off now. It may have just been a quirk. I'll restart again and see if it stays off.
 

Weaselboy

Moderator
Staff member
Jan 23, 2005
30,219
9,919
California
The option disappears with FileVault 2 turned on, so once it's on there is no way to check what that option is set to once encryption is already on. The only way to tell is to unencrypt, restart, and then check. But if you didn't have an Apple ID set to begin with, does that mean that option is automatically disabled?

So the solution is to remove my Apple ID, then turn FileVault 2 on, then add the Apple ID again? Is there any way to be sure that the option hasn't automatically been ticked again after I add the Apple ID once FileVault 2 is on (as the ability to see what that option is set to disappears once FileVault 2 is on)?
If you are not using the AppleID for password recovery there is no need to add your AppleID there at all that I can see.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.