Security question about Palo Alto Network's Global Protect

[theorist9]

My University uses Palo Alto Network's Global Protect to verify the encryption status of my Mac—it won't let me access the VPN unless it passes its encryption check. So far so good, since all that's required is that I establish full disk encryption with FileVault, which I do anyways.

However, for certain reasons, I would really like to run a dual-boot machine. Yet I found that when I configure my Mac for dual boot (different versions of macOS on different containers), and fully encrypt both partitions, my Mac will fail the encryption test.

I contacted Howard Oakley, a well-known Mac security expert, about this. He said that if you can verify both installations are encrypted (which I did), and it still fails GlobalProtect’s encryption check, then GlobalProtect isn’t doing the check correctly:

“There’s an easy way to check whether PaloAlto Networks are getting this right. To check whether FileVault is turned on, use the fdesetup status command in Terminal when booted in that macOS. I suspect that it will return that both systems have FileVault enabled, in which case you know that, however PaloAlto Networks are trying to test for encryption, they’re doing it wrong.”

My IT dept. is aware of this issue. Indeed, it seems to apply to both Macs and PC's. However, they insist that, if it fails Global Protect's encryption check, it's not properly encrypted (and thus refuse to contact Palo Alto about this).

But surely Oakley is right and my IT dept. is wrong, since it makes no sense that encrypted data on MacOS would become readable simply as a result of creating a 2nd encrypted partition. After all, that would represent a remarkable security hole in MacOS that would make the front page of every tech site until it was patched. Thus it's simply not plausible that such a hole could exist.

Am I missing anything here?

 

[jbailey]

I used to use a Palo Alto VPN in a virtual machine environment. But it was a long time ago and they might try to detect that now. But you might give it a shot.

 

[theorist9]

I used to use a Palo Alto VPN in a virtual machine environment. But it was a long time ago and they might try to detect that now. But you might give it a shot.

Are you saying to create a VM on one of the OS installations, and access my VPN through the VM, which might limit Global Protect's encryption check to the VM itself? A clever idea, but it sounds like it would overcomplicate things for me.

 

[rdrr]

Saw this on Reddit about dual booting and Filevault. The link with the macOS layout was interesting.

This subreddit is intended for system administrators managing Macs at businesses and schools. Nonetheless, I’ll bite.

macOS Big Sur and later uses a System volume and a paired/linked Data volume for each instance of macOS installed. The System volume is cryptographically sealed and signed by Apple, making it a Signed System Volume (SSV). Each copy of macOS boots from an immutable snapshot of its SSV and checks the top level seal during startup. If the seal doesn’t match what it expects, the Mac boots to macOS Recovery instead and asks you to reinstall macOS. If your Mac starts up as normal, it’s already asserted that the seal is correct, and it will continue checking everything it reads from the SSV as macOS runs to make sure it’s what it expects.

Why is this relevant? In macOS Mojave and earlier, macOS and your data resided in the same volume, and thus enabling FileVault encrypted everything. macOS Catalina used a separate system volume, but it didn’t have SSV protection, so it was also encrypted when FileVault got enabled.

macOS Big Sur and later are different. Because they use the SSV, macOS doesn’t encrypt the system volume, because it doesn’t need to. macOS itself isn’t confidential, and the system will instantly know if it’s been tampered with. The paired/linked Data volume, on the other hand, will still be encrypted by FileVault.

In your case, this means that because the System volume of the other macOS installation isn’t encrypted, the running macOS will mount it at startup. This is ok; just confirm whether the Users folder on that volume is empty. If it is, FileVault is working as expected. Normally one or more user home folders should appear there, but those reside on the Data volume, and if they don’t appear, that implies the Data volume is locked and inaccessible without the right password. If one or more home folders DO appear in the Users folder for that volume though, there’s a problem.

More on firmlinks: https://eclecticlight.co/2021/01/13/big-sur-boot-volume-layout/

EDIT: Regarding Wi-Fi, that info gets saved to NVRAM, and both OSes can read that.

 

[theorist9]

"In your case, this means that because the System volume of the other macOS installation isn’t encrypted, the running macOS will mount it at startup. This is ok; just confirm whether the Users folder on that volume is empty."

The reddit post seems to be saying there should be a Users folder on the SSV, and that should be empty. My SSV (Monterey) doesn't have a Users folder at all (at least at the top level):

 

[mr_roboto]

The reddit post seems to be saying there should be a Users folder on the SSV, and that should be empty. My SSV (Monterey) doesn't have a Users folder at all (at least at the top level):

You're looking in the wrong place. The SSV is mounted at /, not /System. Both /System and /Users are folders that should (AFAIK) exist on the SSV.

You can't do the same test the Reddit poster is talking about while still booted into the SSV/Data volume combo you want to examine. You need to set up dual boot on your Mac, boot the second OS, and mount the original operating system's SSV to see whether it has any user data files on it (it won't).

Alternatively, you can use the command line to see that in principle all your data should only exist on the data volume:

% diskutil list
/dev/disk0 (internal, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *1.0 TB     disk0
   1:             Apple_APFS_ISC Container disk1         524.3 MB   disk0s1
   2:                 Apple_APFS Container disk3         994.7 GB   disk0s2
   3:        Apple_APFS_Recovery Container disk2         5.4 GB     disk0s3

/dev/disk3 (synthesized):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      APFS Container Scheme -                      +994.7 GB   disk3
                                 Physical Store disk0s2
   1:                APFS Volume Macintosh HD            11.2 GB    disk3s1
   2:              APFS Snapshot com.apple.os.update-... 11.2 GB    disk3s1s1
   3:                APFS Volume Preboot                 6.8 GB     disk3s2
   4:                APFS Volume Recovery                1.0 GB     disk3s3
   5:                APFS Volume Macintosh HD - Data     584.1 GB   disk3s5
   6:                APFS Volume VM                      20.5 KB    disk3s6

% mount
/dev/disk3s1s1 on / (apfs, sealed, local, read-only, journaled)
devfs on /dev (devfs, local, nobrowse)
/dev/disk3s6 on /System/Volumes/VM (apfs, local, noexec, journaled, noatime, nobrowse)
/dev/disk3s2 on /System/Volumes/Preboot (apfs, local, journaled, nobrowse)
/dev/disk3s4 on /System/Volumes/Update (apfs, local, journaled, nobrowse)
/dev/disk1s2 on /System/Volumes/xarts (apfs, local, noexec, journaled, noatime, nobrowse)
/dev/disk1s1 on /System/Volumes/iSCPreboot (apfs, local, journaled, nobrowse)
/dev/disk1s3 on /System/Volumes/Hardware (apfs, local, journaled, nobrowse)
/dev/disk3s5 on /System/Volumes/Data (apfs, local, journaled, nobrowse, protect, root data)
map auto_home on /System/Volumes/Data/home (autofs, automounted, nobrowse)
/dev/disk3s3 on /Volumes/Recovery (apfs, local, journaled, nobrowse)

disk3s1s1 is my computer's current SSV snapshot. Note that the mount options show it's mounted on /, sealed and read-only. That makes it impossible for any data to be written to the booted SSV.

disk3s5 is my data volume, mounted R/W at /System/Volumes/Data. Through the magic of firmlinks, /System/Volumes/Data/Users is overlaid onto /Users. Howard Oakley has some posts up on eclecticlight.co detailing more about the folder hierarchy of the SSV and Data volume, and how firmlinks stitch them together.