Suggestion for SmartCard Supplemental

[reuven-cohen]

https://github.com/usnistgov/macos_security/blob/main/rules/supplemental/supplemental_smartcard.yaml

With SmartCard Enforcement enabled on Silicon MacBooks, there is another way to bypass the FV2 screen.
This is useful if you have an admin account that is set as an exception to SmartCard Enforcment, or if you want to be able to have the macBook connect to internet so that you can push policies via MDM.

After booting the system up, press Option Shift Return and you can enter the Personal Recovery Key.
This will authenticate the FV2 screen and drop the system into the normal login prompt with network enabled.

[robertgendler]

That's a good suggestion. We should maybe add something about option shift return in there.

[bdruth]

Does this only work if you don't use the "allow my iCloud account to unlock my disk" option? Or is there a way to access your recovery key through iCloud to make this work? AFAIK, when using that option, you don't every "see" the key, so you wouldn't have anything to type in?

[reuven-cohen]

Recovery Keys should be getting escrowed to your MDM. Not sure about iCloud as we disable Activation Lock preventing them for leveraging that function.

[pkkemp]

This should work as long as there is a PRK (personal recovery key) set. You can check if your volume does by running sudo fdesetup list -extended in terminal, this will list everything that can unlock FileVault. This should also output if you have an iCloud Recovery Record stored. If you lost your PRK (or want to create a new one) you can run sudo fdesetup changerecovery -personal to generate a new one.

[bdruth]

@pkkemp thank you!