Way to dual-boot MacOS without violating encryption requirements for GlobalProtect?

byte99 — Sat, 16 Mar 2024 04:30:06 GMT

I'm using a 27" i9 iMac running MacOS Monterey 12.7.3 with GlobalProtect VPN 5.2.12–26.

In order to connect with my organization's VPN, GlobalProtect requires my drive be fully encrypted. Normally that's not an issue, as my default is to do so, with FileVault.

However, a few months ago I was considering upgrading to Sonoma, and wanted to first test it on separate Container (MacOS's version of a partition) before upgrading my working system from Monterey. Even after ensuring that the Sonoma Container was fully encrypted (or, more precisely, that all relevant Volumes on the Sonoma container were encrypted), I got a message saying I couldn't connect to the VPN because of "Unencrypted Drive(s)". [See screenshot at bottom.] [Note: This is not the actual screenshot from when that happened; I didn't take one, and didn't want to re-install Sonoma just so I could get a screenshot. So I instead generated the error message by connecting an unencrypted external drive.]

I asked my IT dept. why I was getting this message, even though all my Containers are encrypted. They couldn't give me a rigorous technical answer, but said it's known behavior that dual-boot Macs (and possibly dual-boot computers generally—I forget) fail Global Protect's encryption check. I asked them why, and they said they weren't sure, but opined that, when you install a 2nd OS, this creates a Volume or Container that is of a qualitatively different nature than what's present with a single OS (maybe the system needs it to manage multiple OS's?), and that this added Volume/Container is (a) invisible to the user; (b) is not encrypted; and (c) cannot be encrypted.

This seems very strange, since Apple is very good about security and, as far as Apple is concered, my computer is fully encrypted when all Containers/Volumes are encrypted, even with a dual-boot system. So why is GlobalProtect saying it's not?

I don't know what's going on, but here are some possibilities:
(a) My computer is not fully encrypted when it's dual-boot, even if I've encrypted all Containers/Volumes, in which case there's a huge hole in Apple's security; or:

(b) My computer is fully encrypted (meaning there are no security vulnerabilties due to to inadequate encryption), in which case GlobalProtect is making a huge error in saying there are security issues with my encryption schema that necessitate blocking my access; or:
(c) There's nothing wrong with either MacOS or GlobalProtect; the issue is that whoever set up GlobalProtect in my organziation did not configure it properly; or
(d) There's nothing wrong with either MacOS or GlobalProtect; it's some other 3rd party security application that is making the incorrect determination about my computer's encryption status, and GlobalProtect is simply acting on that info.

Thus can someone please tell me what's actually going on, and whether there is a workaround for this that would enable me to dual-boot my Mac and still access my work's VPN?

topic Way to dual-boot MacOS without violating encryption requirements for GlobalProtect? in GlobalProtect Discussions

Way to dual-boot MacOS without violating encryption requirements for GlobalProtect?