Ipa User-unlock Page

Report: FreeIPA User Account Unlocking

Subject: Usage and Analysis of ipa user-unlock Command Date: October 26, 2023 Category: System Administration / Identity Management

1. Day 0: IT deploys the profile. The user creates their Mac password. The Mac generates a personal recovery key. It encrypts that key using the MDM’s public key and escrows it to the server.
2. Day 45: User forgets password. They reboot the Mac.
3. The Login: They see the standard FileVault login window. They type the wrong password three times.
4. The Prompt: A new button appears: "Reset password using MDM (or using your escrowed key)."
5. Authentication: The user clicks it. A web view (via authd) opens asking for their corporate credentials (Entra ID, Okta, Google Workspace).
6. Escrow Retrieval: The MDM validates the identity and returns an EncryptedCert or EncryptedRecoveryKey payload. The local machine decrypts it using the hardware key (Secure Enclave).
7. Reset: The user is prompted to set a new password and hint. FileVault is re-encrypted with the new password. The new recovery key is escrowed automatically. The user logs in.

More precisely, when an MDM pushes a FileVault configuration profile, it includes a dictionary of keys. The user-unlock key (often nested under an ipa or FileVault dictionary) dictates if end users can authorize FileVault decryption on their own or if they require an IT admin to provide a master recovery key. ipa user-unlock

Sarah doesn’t want to reset the password (that would require updating 20 production config files). She just needs to remove the lock without changing the credential. Report: FreeIPA User Account Unlocking Subject: Usage and

ipa user-unlock --help

Click the Unlock button or action provided in the user management menu. Troubleshooting Lockouts Day 0: IT deploys the profile

• Run as an IPA admin or a user with the Unlock users permission.
• The user must exist in the IPA domain.