25 July 2011

What you need to know about Undercover on Lion

Apple released Lion 5 days ago and many of our users have already upgraded their Macs or are planning to do so soon. In this post, we would like to address some common questions and misconceptions about Undercover on Lion.

Reinstalling on Lion
We recommend all our users to download Undercover 4.5 and run the installer, even if Undercover has been installed previously. This will make sure you are running the very latest version. Reinstalling Undercover on a Mac will not use additional license seats if you have a household or site license.


FileVault 2
With OS X Lion comes FileVault 2, an update of Apple's data encryption program. In FileVault 2 a Mac cannot boot unless an admin password is entered. Therefore, third party apps such as Undercover (and Undercover copy-cats) cannot run. Basically in OS X Lion, you must choose between using FileVault 2 or having the chance to recover your Mac using Undercover. We are sorry to have to write this, but this is how Apple designed FileVault 2. If you want to continue using Undercover and data encryption is important to you, there are many other file encryption apps available.


Location menu item
In Lion, a new location menu is present in the upper right corner of the menubar (the arrow icon). This menu lists all apps that have accessed your location in the last 24 hours. Since Undercover uses location, it will show up there as well (under the uclocator name). If you think this menu gives a potential thief too much information, you can easily remove the menu item: drag the com.apple.locationmenu.plist file in /System/Library/LaunchAgents/ out of the LaunchAgents folder. You can always bring the menu item back by moving the plist file back to its folder.


Firmware password
Setting a firmware password will prevent thieves from formatting your startup disk, as the password is needed to boot from another disk than your default startup disk. That's why we recommend to set a firmware password when using Undercover. You can access the firmware password in Lion by booting from the recovery partition.


Update: added information about the firmware utility on the Lion recovery partition. Thanks to everyone who pointed this out.

Update 2: corrected information on FileVault 2

29 comments:

Anonymous said...

Just wish to add that the firmware password utility is still present in OS X Lion through the recovery partition.
Boot in Lion recovery by holding Command+R at boot up. Then go to the menu bar and choose the Firmware password utility in the utilities menu.

Pl-Svn said...

... actually, on this new MBA that came with Lion factory installed, the location services icon just flashes very briefly and is not an issue at it was the sticky icon on my older MBA upgraded to Lion :-)

Percy said...

What file encryption apps do you recommend?

Peter Schols said...

@Percy: we don't use file encryption apps ourselves here, but Espionage is getting great reviews: http://www.macupdate.com/app/mac/29384/espionage

WJ said...

In System Preferences -Security & Privacy you can turn of uclocator without admin password. What to do?

little said...

Just wanted to check you are aware of this?
Since updating to 10.7.2, i'm getting a lot of these messages:
“uclocator” would like to use your current location.
Even though in system prefs it is set to allow.

Peter Schols said...

@Little: could you please contact support at orbicule? We will help you out asap.

Peter Schols
Orbicule

Anonymous said...

Could you follow up with what WJ said on 19 September, 2011? This does seem to be a security issue no?

Anonymous said...

When trying to drag the com.apple.locationmenu.plist out of the LaunchAgents folder it only seems to allow for a copy rather than an actual move. Meaning the original .plist always stays there. I'm guessing this means the uclocator alert will still show up.

Peter Schols said...

@WJ: with Undercover 4.7 installed, turning off uclocator in the System Preferences will have no effect: Undercover will keep tracking location.

Only when turning off location tracking completely, Undercover will stop working. However, an admin password is needed to change this setting.

Peter Schols said...

@Anonymous (Oct 22nd): if you install Undercover 4.7, you'll no longer see the Core Location permission dialog.

Anonymous said...

Thanks Peter. I did just notice this. Only the arrow now.

Peter Schols said...

@Anonymous (Oct 26th): you should be able to first copy the plist and then delete the original. That should do the trick.

Jonathan said...

I see the statement that Undercover won't work with Filevault 2 under Lion, but i also see that this predates the re-introduction of the guest account in Lion 10.7.2. Will Undercover now work if the illicit user is using that guest account, which is confined to Safari?

Peter Schols said...

@Jonathan: If FileVault 2 is enabled, the guest account is loaded from the Lion recovery partition. Since this partition is read-only, Undercover - or any other third party software - cannot be installed on it. We are looking into this right now.

Anonymous said...

Hi,

I'm trying to decide what to do about the dummy/guest accouint with 10.7.2

Should I remove the 'guest account' and add a dummy account as before? What do you suggest?

(An email response is appreciated j(at)jvimages.com

Peter Schols said...

If you don't have FileVault 2 enabled, creating a dummy account is the best thing to do.

Peter
Orbicule

Bobby Box said...

How do you create a dummy account?
OSX insists upon a password.
Thanks.

Robin.

Peter Schols said...

@Bobby Box: you will receive a warning, but it's still possible to create a dummy account without a password.

Iggy said...

Does the Undercover software for either the MacBook Pro or iPad (3rd Gen) have a keylogger feature that can be enabled?

Peter Schols said...

@Iggy: Undercover 4.x does not support key logging. Please keep an eye out for the upcoming Undercover 5.

Peter Schols
Orbicule

Anonymous said...

I created a dummy Standard account. Just called it MacBook and set the password to air.

In the password hint box I typed in. Password is air

So if someone does want to use my Mac after stealing it, hopefully they'll log into this at least once so I can get the location and snapshot.

Peter Schols said...

@Anonymous: sounds good. It would be even better to remove the password altogether. It's easier for the thieves to log in (most are really not that intelligent ;))

Mike said...

@Anonymous & @Peter:

Unfortunately having a dummy account circumvents the encryption, as its FULL Hard Disk encryption.

Each account that you authorize to login and decrypt the hard drive (including a dummy account) is then providing access to the entire drive to someone who has stolen your machine.

If you are going to leave a dummy guest account, you may as well disable FileVault2!

Peter Schols said...

@Mike: that's true.

Anonymous said...

What happent if they format the computer ?????

Peter Schols said...

You can prevent this by setting the firmware password, see above for more info about the firmware password.

Anonymous said...

Hi, someone said that if you activate the 'find my mac' on icloud that you will get a guest account without password, and in this way you can use undercover with filevault2. Or is this not true?

Peter Schols said...

That's incorrect, unfortunately. Undercover will not run on the unprotected guest account partition, as Apple does not allow this.