It looks like no one has commented in a while. To start the conversation again, justask a new question.
User profile for user: curtx
curtx Auteur
User level:Level 1 4 punt
If File Vault 2 is enabled, Mac files must be encrypted on the SSD drive. But can an administrator still access these files without logging in as a user?
Posted on January 26, 2023 at 10:54 am
Question marked as Best answer
User profile for user: HWTech
HWTech
User level:Level 9 55,664 points
Posted on January 26, 2023 4:50 PM
An admin user has access to all other macOS user accounts, although I don't know if newer versions of macOS have restricted this, but I don't think so. Here are two examples:
- You can look into the other macOS user account and see locked folders. If you drag and drop a locked folder into your own home folder, its permissions will automatically change so you can access it like any other item in your home folder.
- When you use a third-party app such as Carbon Copy Cloner, CCC will ask you for your administrator password so that CCC can access files anywhere on the drive, including other user accounts.
Filevault2 has no influence on this, as the entire volume is encrypted for all user accounts, and once unlocked, any user can log in and use the Mac. Filevault is only intended to protect data at rest, such as when the laptop is turned off, so that if the laptop is lost or stolen, someone cannot easily access data on the encrypted device.
If you're concerned about other user accounts on this Mac gaining access to the files from your primary macOS administrator account, make sure you only create a "standard" user account for the other users that won't have access to anything outside of their own home user folder.
See in context
Similar questions
- File Safe File Safe apparently did not work properly when using the WD external hard drive while moving data from Catalina to Big Sur from an older Mac to a new Mac. It took me a while to realize that I had unknowingly enabled File Vault and now I don't remember the password. While using this Mac, Apple's warnings about continued use were very clear. At my age, I had a feeling this would be my last Mac I bought in 2020. I was worried, but thought it would be fine. That's not the case, and it's likely that I lost admin access a while ago. I'm wondering if others have had similar experiences with newer Intel MacBook Pros and how they were handled, or if I'm just in an impossible situation by not acting sooner. Thanks for any tips. 2883
- I don't want my File Vault protected files to be accessible with the login password. Is this possible? I have to take my Macbook Pro in for repairs, i.e. they have to replace the screen. When I had it evaluated (by an Apple certified dealer), the technician told me to give him the login password when I got back and leave the computer with him. Now: I don't want them to have access to my files and was thinking about file vault encryption. My research shows that anyone who has the login password can also unlock the encrypted file vault files. But that's exactly what I don't want them to be able to do. Is there a way to access the encrypted files only with a different password, instead of being able to do so with the login password? Since there's no point in enabling the file vault if they can then access it with the login password, it looks like I'm going to give it to them. Thank you for helping me with this and clarifying my options. 1854
- Password Protect a Folder I want to migrate my iMac to a Mac Mini and I want to password protect the folder where I keep my passwords. Or is it best to drag the folder from the iMac to a flash drive before migrating? Thanks Allan 4173
4 answers
Loading page content
Page content loaded
Question marked as Best answer
User profile for user: HWTech
HWTech
User level:Level 9 55,664 points
January 26, 2023 4:50 PM In reply to curtx
An admin user has access to all other macOS user accounts, although I don't know if newer versions of macOS have restricted this, but I don't think so. Here are two examples:
- You can look into the other macOS user account and see locked folders. If you drag and drop a locked folder into your own home folder, its permissions will automatically change so you can access it like any other item in your home folder.
- When you use a third-party app such as Carbon Copy Cloner, CCC will ask you for your administrator password so that CCC can access files anywhere on the drive, including other user accounts.
Filevault2 has no influence on this, as the entire volume is encrypted for all user accounts, and once unlocked, any user can log in and use the Mac. Filevault is only intended to protect data at rest, such as when the laptop is turned off, so that if the laptop is lost or stolen, someone cannot easily access data on the encrypted device.
If you're concerned about other user accounts on this Mac gaining access to the files from your primary macOS administrator account, make sure you only create a "standard" user account for the other users that won't have access to anything outside of their own home user folder.
Clutch
User profile for user: leroydouglas
leroydouglas
Community+ 2024 User level:Level 10 183,696 points
January 26, 2023 at 11:12 am in reply to curtx
curtx wrote:
If File Vault 2 is enabled, Mac files must be encrypted on the SSD drive. But can an administrator still access these files without logging in as a user?
If you have configured/enable file sharing between accounts...
Set up file sharing on Mac - Apple Support
Clutch
User profile for user: Grant Bennet-Alder
Grant Bennet-Alder
User level:Level 10 127,141 points
January 26, 2023 5:15 PM In reply to HWTech
if you found a Mac with an encrypted drive on the street and read the files, they would be junk.
Once you log in such that the encryption password is provided, the files remain encrypted on the disk, but when the authorized version of MacOS reads these files, they are immediately decrypted for use and encrypted when written back to the disk.
Encrypted drive does NOT change the way user accounts work. By default, an administrator user can read almost everything and write most things, with some system files as special cases.
"regular" users can read and write their own files, but NOT other users' files.
--------
An old rule of thumb from the system administrator: "Give permissions only to individual users who are capable of fixing any mess."
Clutch
User profile for user: curtx
curtx Auteur
User level:Level 1 4 punt
Can a Mac administrator see another user's file with File Vault 2 enabled?
