Event banner
Event details
Title: Known issue with macOS LAPS and FileVault recovery key access on user-based supervised devices enrolled via ABM and Intune?
Body:
We have macOS devices enrolled as user-based supervised in combination with Apple Business Manager (ABM) and Intune. These devices have a primary user with a Secure Token, but no admin rights. We want to enforce FileVault disk encryption, which requires local admin rights for initial setup. To handle this, we recently deployed LAPS accounts that are used to activate FileVault, with the recovery key escrowed to Intune and the user's Company Portal.
However, we discovered a security gap: the user can access the recovery key at any time trough the Company Portal, boot the Mac into recovery mode, and use the recovery key to reset the LAPS account password. This effectively bypasses the LAPS process and grants the user local admin access through the LAPS account.
One alternative could be to not export the recovery key to the Company Portal, but currently it is all or nothing; there's no option to manage Intune and user Company Portal separately. A good improvement would be to have separate controls for these escrow locations.
We have tested this behavior under macOS Sequoia15.6.1 and we will test under macOS Tahoe 26 soon. If the situation changes in the newer version, we will update this post accordingly.
Is this issue already known in the community? How is it expected to be addressed in the future to prevent this security loophole?