Apple can be crafty. Just ask Google. But I’m not here to write about corporation-on-corporation smackdowns. Rather, I’m referring to a Mac OS X trick that pairs FileVault 2 with iCloud’s Find My Mac service to trap a thief. Specifically, OS X 10.7.2 (Lion) offers an option to lure in ne’er-do-wells by providing what seems like a reasonable path to start up a Mac…but then phones home.
As I explained in our complete guide to FileVault 2, FileVault 2 lets Lion users encrypt their entire startup drive. When a Mac with FileVault enabled starts up or restarts, a special login screen appears; only an authorized user account can get past this screen. Enter such an account’s name and password, and the encrypted key is unlocked and the Mac restarts from the boot drive.
Behind the scenes, Apple is taking advantage of Recovery HD, an invisible partition of your startup drive (created as part of the Lion installation process) that’s used for both emergency and routine activities. FileVault 2 encrypts only the main partition of a Lion disk, using the unencrypted Recovery HD partition to handle the aforementioned entry screen.
New features with Lion 10.7.2
My original FileVault article was researched and written using Mac OS X 10.7.1. Soon after the article was published, Apple released version OS X 10.7.2, which includes some significant changes to FileVault, as well as some nifty interactions with the new Find My Mac feature. One of these changes is a new Guest User option on the FileVault entry screen. This option appears only when you’ve previously booted your Mac under OS X 10.7.2 and logged into iCloud (in the iCloud pane of System Preferences).
Before I proceed, it’s useful to understand what’s going on behind the scenes: During normal use, Lion copies certain settings to Recovery HD, such as information about, and password validations for, FileVault-authorized accounts, as well as the passwords for Wi-Fi networks to which you’ve connected and opted to save the password. (The reason for storing Wi-Fi passwords is that doing so makes it easier to use Lion Recovery to reinstall Lion, or to use the standard Get Help Online mode, since both require an Internet connection.) But in OS X 10.7.2, Lion also stores on Recovery HD your credentials for iCloud and the status (enabled or disabled) of the Find My Mac feature.
Put these things together, and it means that whenever someone is using your Mac via the Guest User feature, your Mac can connect to the Internet, log in invisibly to your iCloud account, and report your location via Find My Mac. This is where I believe Apple is being crafty on our behalf: If someone steals your FileVault-protected Mac and boots it up, they won’t be able to access any user accounts, so they’ll be tempted to boot into the Guest User account to see if they can access data, or perhaps just to try to erase the drive. As soon as they connect to a Wi-Fi network (which might even happen automatically—for example, if you previously used an AT&T/Starbucks access point, your Mac can automatically connect the next time you’re in range of a Starbucks), the location of the computer is revealed, iCloud can send you an email alert, and you can then send a remote message, a lock command, or even a wipe command using Find My Mac.
(Of course, this is also useful if a good samaritan finds your lost MacBook: They’ll presumably try to start it up to see if they can find any information that would help them contact you. In the background, your Mac is doing the work for them.)
Even if your Mac is already booted up, you get some protection here. For starters, when you enable FileVault, it automatically enables the Require Password After Sleep Or Screen Saver Begins option in the Security & Privacy of System Preferences, and it disables automatic login. (In fact, you can’t even enable automatic login if FileVault is on.) This means anyone who procures your Mac won’t be able to use it, and will likely try to reboot it…leading them right into the aforementioned startup sequence and the Guest User trap, if you will.
But I also recommend enabling, in that same preferences screen, Require An Administrator Password To Access System Preferences With Lock Icons. This ensures that anyone who happens across your awake-and-unlocked Mac won’t be able to change system-level settings unless they have a valid administrator account.
You should also enable the Show A Message When The Screen Is Locked option, and then include your contact information in the text box. This text appears not just on the lock and login screens, but also in the initial FileVault login screen, giving good samaritans and guilty-conscience thieves a way to contact you. Finally, you should make sure the Disable Restarting To Safari When Screen Is Locked option is disabled—enabling this option prevents the Guest User option from appearing at startup.
Find My Mac’s options
If you ever lose your Mac, or if it’s ever stolen, immediately log in to Find My Mac (on the iCloud website or via the Find My iPhone iOS app). Whether or not your Mac can be found immediately, you can choose any of the Find My Mac options: Play Sound or Send Message, Remote Lock, or Remote Wipe. If your Mac has been located, the action will occur immediately. If it can’t be found, the action will occur as soon as your Mac next connects to the Internet.
Tip: If your Mac’s location can’t be found immediately, tap the blue info [i] button next to your Mac in the devices list, and then slide the Email When Found button to On. With this setting enabled, iCloud will email you, at your iCloud email address, as soon as your Mac connects to the Internet. You can then log in to Find My Mac to see the computer’s location.
The Play Sound or Send Message option is mainly useful if you know you left your Mac in a trusted environment and you want to alert a friendly soul. In situations where you don’t know who has your Mac, or what access they have to it, the Remote Lock option is a better choice, as it reboots the computer as soon as the command is received, requiring a six-digit (if you issued the command from iCloud.com) or four-digit (if you used the iOS app) passcode for access. Apple continues to play tricks on absconders here: When the Mac restarts after a Remote Lock with FileVault 2 enabled, the Guest User option is disabled, but the computer still automatically connects to any known Wi-Fi networks and sends location information!
The Remote Wipe command is, of course, a last resort, as it instantly destroys the boot drive’s contents by erasing the encrypted volume’s key, rendering the drive’s contents unusable. However—and this is an important note—once you’ve used the Remote Lock option, the Remote Wipe action is no longer available. So choose wisely.
As soon as the computer obtains network access and the Recovery HD system talks to iCloud, your computer is roughly located. The location, determined by nearby Wi-Fi networks, is displayed on Find My Mac, and any action you took is immediately carried out. Once you have the location in hand, if it’s not someplace you know to be friendly, your next step should likely be a visit to a police station, especially if you suspect the computer is in the hands of a putative blackheart.
Security in mind
I kid throughout this article about Apple’s craftiness, because FileVault’s Guest User option is absolutely and decisively designed to allow your computer to report its location to iCloud’s Find My Mac servers—and, thus, to you—without the person operating the laptop being any the wiser.
But FileVault’s Guest User feature is also a way to let someone else use your computer for basic Web browsing without giving them an account—or, thus, access to anything on your computer. In fact, FileVault disables the normal Guest option, found in the Users & Groups pane of System Preferences, that would allow a guest to use a temporary account with access to applications and to public areas of your drive. With Fast User Switching enabled, that option even lets you stay logged in to your normal account (or accounts). FileVault’s Guest User is thus significantly more secure, as it makes your boot drive completely inaccessible and gives the guest user access only to Safari.
But for most people, the major benefits here involve keeping your data secure and helping you find a lost or stolen computer. Apple doesn’t want to advertise its Find My Mac tracking as a feature, as it may lose some of its effect if thieves are too aware. But I don’t think most people stealing computers are also dedicated readers of marketing materials or Macworld. (Prove me wrong, people.) Forearmed is forewarned, and your machine, absconded with, may be more recoverable than we thought.