Question

10.13/10.4 SecureToken Active Directory Fun

Forum|Forum|6 years ago
March 12, 2019
4 replies
21 views

+10

rcurran
Contributor

Greetings,

Occasionally we run into an instance where a FileVault enabled AD user using a mobile account changes their password somewhere other than System Preferences.

FileVault expectedly falls out of sync, and we have a variety of workarounds, especially if the OLD password is working.

But many times it is not, and currently I have a system that will not generate a secure token for any user on the system. We've decrypted, updated to 10.14, and tried getting a new SecureToken by blasting the .AppleSetupDone file and creating a new account but nothing gives in this instance, which is strange because while its a last resort, removing the AppleSetup file has worked in the past.

Any tips are appreciated (besides stop using AD binding lol)

R

+10

rcurran
Author
Contributor
Forum|Forum|6 years ago
March 12, 2019

Just saw/trying this out

https://derflounder.wordpress.com/2019/02/10/re-syncing-local-account-passwords-and-secure-token-on-filevault-encrypted-macs-running-macos-mojave/

Like

S

+15

sshort
Valued Contributor
Forum|Forum|6 years ago
March 12, 2019

Do you have a local user with secureToken? https://github.com/ducksrfr/mac_admin/blob/master/scripts/Mojave_FileVault_Sync.sh

Like

R

+10

rcurran
Author
Contributor
Forum|Forum|6 years ago
March 12, 2019

Nope. No users on the system have a secure token atm.

Like

+20

bradtchapman
Valued Contributor
Forum|Forum|6 years ago
March 13, 2019

Yeah you’re pretty much screwed. Use the escrowed FV2 token to unlock the disk, decrypt, and reëncrypt.

You can keep binding to AD if you need to deploy wireless certificates to the computer. But for love of all that is holy: stop using network mobile accounts. Convert them to local and install NoMAD, Enterprise Connect, or Jamf Connect.

Like

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded