Skip to main content
Solved

Filevault removing securetoken from users

  • July 10, 2025
  • 5 replies
  • 142 views
chris.bates
Forum|alt.badge.img+1

Hi all, 

 

We have quite a weird recurring issue with 3 mac devices. FileVault is set to enable via a configuration profile from UIE//ADE and this has been working good since we introduced Jamf. We are however having issues where the secure tokens assigned to these users are being removed? I was wondering if this is something that anyone else has seen?

 

The accounts a mobile accounts from AD. All of the mobile accounts on the devices are struggling. The workaround currently is to sign in with the local account that was created for support (has securetoken key) and then log out. Falling short of disabling FileVault for these devices, is there anything else any one can think of?

 

Thanks in advance!

Best answer by sdagley

@chris.bates If you’re using Entra ID as your IdP, and your Mac environment is all macOS Sequoia, you should take a look at Platform SSO instead of Kerberos SSO.

5 replies

sdagley
Forum|alt.badge.img+25
  • sdagley
  • Jamf Heroes
  • July 10, 2025

FileVault for mobile accounts is somewhat sketchy. Have you considered using the macOS built-in Kerberos SSO tool to keep a local account for the user synchronized to their AD account password?

chris.bates
Forum|alt.badge.img+1
  • chris.bates
  • Author
  • New Contributor
  • July 10, 2025

FileVault for mobile accounts is somewhat sketchy. Have you considered using the macOS built-in Kerberos SSO tool to keep a local account for the user synchronized to their AD account password?

 

I must admit this is a question that has never been raised. I know moving forward, we are looking to implement Jamf Connect; however, there are some teething issues with it, i.e. prompting for Entra ID username and password, and then prompting for local device password after. Unsure whether this is the intended behaviour, as this is something that was touched by Professional Services during initial setup, but not developed upon… Sadly, I don’t currently have the time to throw to try and get this set up, as relatively new to Jamf myself.  I can make an attempt to look into the Kerberos SSO tool, though, in the meantime. Thanks for the response! 🙂

sdagley
Forum|alt.badge.img+25
  • sdagley
  • Jamf Heroes
  • Answer
  • July 10, 2025

@chris.bates If you’re using Entra ID as your IdP, and your Mac environment is all macOS Sequoia, you should take a look at Platform SSO instead of Kerberos SSO.

mvu
chris.bates
sudhanshu521
Forum|alt.badge.img+1
  • sudhanshu521
  • Jamf Heroes
  • July 10, 2025

Hi ​@chris.bates ,

 

I am also facing the same issue where Secure Token is getting removed automatically. 

 

I am also using the Mobile AD account and it seems when AD password is changed but login password is still the old one due to some issue, then we are facing this issue.

We had to run FileVault and Sync script and re-add the user in FV. Now, when we run this script, user looses the secure token but login password gets updated. So we have to again enable the secure token for user as it shows Disable in terminal.

Moving away from Mobile AD accounts to Standards account maybe resolve this issue.

 

Thanks.

 

 

chris.bates
Forum|alt.badge.img+1
  • chris.bates
  • Author
  • New Contributor
  • July 10, 2025

@chris.bates If you’re using Entra ID as your IdP, and your Mac environment is all macOS Sequoia, you should take a look at Platform SSO instead of Kerberos SSO.

 

This appears to be the answer; just set this up for a test group of devices. Easy enough to set up and it just… works… It’s great. Thank you!

Terms & ConditionsCookie settingsAccessibility statement