FileVault 2's Undying Guest User bug - the El Capitan edition.

Today’s post-El Capitan update bug is a ghostly Guest User account that appears only on restarting a El Capitan Mac with FileVault 2 enabled and Guest User disabled in System Preferences:Users and Find My Mac enabled. The configuration for this pre-decryption login is running out of the UEFI EFI system partition. The one thing this Guest User can do is run Safari; the primary partition remains encrypted. There are no Parental Control options (that’s a problem).

I’ve read claims that this a feature. Some misguided Apple engineer thought it would be a good idea — a kind of Honey Pot that would tempt a thief to go online and thus trigger Find My Mac.[1] It becomes a problem with kids who have issues with internet abuse; they get an open browser.

My own suspicion is that this is a partly-implemented undocumented “feature” that is buggy because it was never tested. Maybe it was partly pulled from the release. Not only does it appear unpredictably it has other associated problems. If you enable the Guest account in System Preferences there’s sometimes an option to  enable Parental Controls and sometimes not. Even when there is an option to enable Parental Controls it doesn’t actually work. I’m also unable to get a true Guest account to work — even when I don’t see the “safari only” warning in system preferences the Guest Account never decrypts the primary partition.

There may be more than one bug involved — perhaps something related to failure of new computer / upgrade to notify EFI infrastructure of a preference change. I suspect it’s the worst kind of bug — an undocumented feature that was partly pulled from a release and lurks in code.

It’s not new to El Capitan, it’s been happening intermittently since Lion. It may be more frequent in El Capitan.  I updated two FileVault 2 machines from Yosemite to El Capitan and only one has the ghost account. 

I reviewed 3 options on apple.stackexchange.com [2] dating as far back as Lion with updates for 10.11.

• lion - Guest login got enabled even though FileVault 2 is enabled and Guest login is disabled - Ask Different (First asked with Lion)
• OS X - How to disable the Guest account on OS X El Capitan - Ask Different (El Capitan version)
• lion - Guest login got enabled even though FileVault 2 is enabled and Guest login is disabled - Ask Different

The fix that worked for me was edited as recently as 6/2016. Basically you turn off Guest Account and Find My Mac in System Preferences. Then you disable System Integrity Protection so you can “touch” a System EFI resource, that forces and EFI update, then reenable SIP. When I did that System Preferences had Guest Account enabled again, even though it wasn’t showing up. I disabled Guest Account and enabled Find My Mac and the ghost seems to have been exorcised.

 

I think reinstalling El Capitan from Combo Update would have worked too — it also forces an EFI refresh [3]. I wonder if one could even have used the reinstall operating system feature in the Recovery mode.

 

- fn -

[1] This has been seen as far back as Lion and there’s a good description in this Yosemite article in FileVault 2.

Ten Things You Might Not Know About FileVault 2 | Der Flounder - Dec 2014 ( - Yosemite)

One unusual feature of FileVault 2 is that sometimes a Guest User icon will appear at the pre-boot login screen.

Figure_4-Guest_account_appearing_at_the_FileVault_2_pre-boot_login_screen

When you log in as that guest user, you don’t get access to your hard drive. The only thing you get access to is Safari and a network connection. Quitting out of Safari will return you to the FileVault 2 pre-boot login screen.

Figure_5-Guest_account_restarting_to_Safari-only_mode

Figure_6-Guest_accounts_Safari-only_access

To my knowledge, Apple has never commented specifically about this guest user but it appears the guest user is an anti-theft measure. The guest user’s appearance at the pre-boot login screen is a feature tied to signing into iCloud and enabling the Find My Mac option.

Figure_7-Enabling_the_Find_My_Mac_option_in_System_Preferences_iCloud_preference_pane

One consequence of logging into the guest user is that, as soon as the Mac gets a network connection, it will immediately connect back to Apple and report its location information.

Figure_8-Computers_location_displayed_on_iClouds_Find_My_iPhone_website

If you don’t sign in with iCloud and then enable Find My Mac from that machine, the Guest User icon will not appear on the FileVault pre-boot login screen. That said, mobile device management solutions that track a machine’s location may also trigger the Guest User icon to appear.

[2] Apple has killed Apple Discussions with their latest update.

[3] Despite waiting a long time to do my El Capitan upgrade I ran into an unexpected behavior with an updated installer that wasn’t actually updated. So my main machine went to 10.11.2. I wonder if I’d actually gone to 10.11.5 if this problem would have shown up. It seems to be related to a bug with EFI partition updates.