FileVault for mobile accounts is somewhat sketchy. Have you considered using the macOS built-in Kerberos SSO tool to keep a local account for the user synchronized to their AD account password?

I must admit this is a question that has never been raised. I know moving forward, we are looking to implement Jamf Connect; however, there are some teething issues with it, i.e. prompting for Entra ID username and password, and then prompting for local device password after. Unsure whether this is the intended behaviour, as this is something that was touched by Professional Services during initial setup, but not developed upon… Sadly, I don’t currently have the time to throw to try and get this set up, as relatively new to Jamf myself.  I can make an attempt to look into the Kerberos SSO tool, though, in the meantime. Thanks for the response!

​@chris.bates If you’re using Entra ID as your IdP, and your Mac environment is all macOS Sequoia, you should take a look at Platform SSO instead of Kerberos SSO.

Hi ​@chris.bates ,

I am also facing the same issue where Secure Token is getting removed automatically. 

I am also using the Mobile AD account and it seems when AD password is changed but login password is still the old one due to some issue, then we are facing this issue.

We had to run FileVault and Sync script and re-add the user in FV. Now, when we run this script, user looses the secure token but login password gets updated. So we have to again enable the secure token for user as it shows Disable in terminal.

Moving away from Mobile AD accounts to Standards account maybe resolve this issue.

Thanks.

This appears to be the answer; just set this up for a test group of devices. Easy enough to set up and it just… works… It’s great. Thank you!