Headless Mac mini: Share Screen + FileVault
At the office we have a Mac mini that will be used to run a Teamcity agent. It is a requirement from our security department that we enable FileVault on this machine.
I will also need to manage remotely (via Screen Sharing) this Mac mini from my laptop. I don't want to have to plug in a monitor + mouse + keyboard to manage the build agent.
On this Mac mini, we have 2 accounts: 1 admin account, and 1 teamcity account (standard user). Since the plist file that will run the agent is located in /Users/teamcity/Library/LauchAgents
, I currently need to log in (via the login screen) as teamcity for the agent to start.
My problem is that after I restart the Mac mini, I can't "Share Screen" with the Mac mini.
The only solution around this that I found is to manually log in (from the login screen) to the teamcity account. Of course, I don't want to have to plug in a keyboard + monitor to start the agent.
My question is: how can I remotely "Share Screen" to a FileVault-enabled Mac, if the target user (teamcity) is not logged in?
Solution 1:
Other answers here are correct - it is not possible to remotely access a freshly-booted Mac with FileVault enabled without physical access (FileVault operates 1 layer closer to actual software than a 'traditional' BIOS or firmware password).
It is, however, possible to remotely reboot a Mac and force it to allow remote access even with FileVault enabled, provided you issue the correct command:
sudo fdesetup authrestart
Apple calls this 'Authenticated Restart' official semi-documentation is available here, with a more in-depth view from C|Net gives a high-level description of its workings.
Note that if a Mac is not restarted with this command (a regular restart, powerloss, or otherwise), physical access will be needed to access the Mac. The command also (obviously) requires admin privileges to run.
Solution 2:
You will need to attach actual hardware to login on a Mac with FileVault encryption enabled. You can not set the machine to automatically login (see Apple Support)
The machine requires that you enter the password very early in the boot process, I believe before it mounts the hard drive, so you can not use Remote Desktop or Screen Sharing to login.
Solution 3:
It is possible, but not with OS X alone.
I had the same issue.. I wanted remote access (or, actually I only had remote access), but I also wanted the security of an encrypted disk.
So long as you don't ever need to use mac os locally, there is a relatively easy solution which I used: 1. Wipe out OS X and install VMWare ESXi Server. 2. Install OS X inside of that.
Now you can log into the virtual "physical" console from the VMWare web interface and enter the boot password there. After that, you can use the VMWare console, or you can use the normal apple VNC tool, etc.
Using ESXi actually gives a lot of advantages if you only have remote access (like the ability to restart the machine easily without worrying if it will reconnect or not, the ability to make snapshots, etc.) - but it also means that the local console will be limited to a very simple terminal, so basically useless to do anything other than find the virtual machine's IP address or do maintenance work.
Solution 4:
Building on the other answers... Here's an option that could work: You could boot from an external or second drive that does not have FileVault enabled but contains an OS with screen sharing enabled. Then from there, boot to your FileVault enabled drive.