| ▲ | john_strinlai 2 hours ago | |||||||||||||||||||||||||||||||||||||
>if by "great" you really mean "fine". no, i mean great. managing a fleet of 100+ laptops with bitlocker is a breeze. its so seemless that the users don't even realize its enabled (i.e. no UX issues, at all). on the other hand, i am not managing 100+ laptops that use veracrypt. sounds absolutely awful. i've never managed an apple fleet, so i can't speak to that, and will take your word on it. for personal use, i do not recommend bitlocker (or windows, really), but for already-windows enterprises? absolutely | ||||||||||||||||||||||||||||||||||||||
| ▲ | dijit an hour ago | parent | next [-] | |||||||||||||||||||||||||||||||||||||
Flicking a button to turn something on is not what I'm talking about, that's normally the easy part of any setup, and I judge people harshly who only take that aspect of something into consideration when discussing systems. Brittle is what happens when you haven't logged on to the machine in 60 days, trust with AD is broken, TPM has a glitch and wipes the in device key and forces you into recovery... or god forbid you service the laptop and now you have to enter recovery mode. Then you're in a nightmare, trying to give someone a super long passphrase over the phone is a not-too-uncommon occurance. That's assuming you have a good policy for storing the recovery keys. Too loose and they're handed out to everyone, sort of defeating the purpose: too strict and you need the IT department (or specific members), and its still predicated on the notion that you have a policy for it... Given that Admins are a dying breed... I don't think this is workable. If you compare with Filevault on MacOS: which tracks the credentials of the logged in user; there's no "issue" if the device loses trust because ultimately you always use the real unlock key: not something cached in a "secure storage". | ||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||
| ▲ | akerl_ 2 hours ago | parent | prev [-] | |||||||||||||||||||||||||||||||||||||
Managing an Apple fleet is similarly fine, and that includes using any of the MDM tooling that also does key escrow on enterprise Filevault devices. | ||||||||||||||||||||||||||||||||||||||