@jacomaree It does work quickly and effectively, however, this is obviously something broken on Apple's part. If you have support, I suggest getting a ticket open for them to "gauge the impact" for engineering purposes.

@easyedc I worked with Apple for nearly 6 weeks on this when High Sierra was released by supplying loads of logs and trying various config changes and this is still broken in 10.13.3...
It will seem that Apple don’t regard this as a priority, otherwise it would have been fixed in 10.13.1...

@easyedc wrote:

Just throwing my 2¢ into this. Seeing this for the first time as we do our initial 10.13 rollouts, and running

sudo diskutil apfs updatePreboot /

seemed to fix the issue for us. I was able to do this remotely through an SSH connection, did not have to be a) local b) using local account.

∞ Likes

@jacomaree I need to add a signature to my profile to always add a line “please open a ticket with Apple...” Around here if something happens and the support team in question doesn’t have a ticket then it’s like it didn’t happen and they don’t care. I’m learning to take my own advice when it comes to Apple.

It will seem that Apple don’t regard this as a priority

...and hence my ticket comment to the group.

I reported this issue back in the betas prior to public release, finally after 10.3.2 we were able to come up with the workaround. Seems like 10.13.4 beta 3 addresses this, still need to test more.

Seems fusion drives aren't supported by APFS and cause the same issue without any of the fixes working, has anyone seen this before I log an Apple ticket?

Does anyone have a DEP workflow working yet with APFS and FileVault. Everything works fine for us with HFS+. But with APFS we don't get the secure tokens being added to user accounts consistently. Is it just totally broken ?

Our workflow would be something like this :
Turn on machine - boots to setup assistant. Machine talks to DEP. First user logs in and creates local account and password
Configuration Profiles get pushed down to machine
Prestage also creates an admin account
Filevault gets turned on. Both of those accounts need filevault secure tokens. But sometimes one account gets it and not the other.

Works perfectly with an HFS+ workflow but not with APFS. We just received a lot of laptops that are all in APFS format. It seems really sad to have to burn them down and reformat to HFS+ to make it all work correctly.

Still no joy on this - fresh install of 10.13 on a system, updated it to 10.13.4 and then enrolled in JAMF. Once encryption completed (via JAMF policy), the policy to add a FV2-enabled support account fired off. The account is created on the system but is not FV2-enabled.

OSX 10.13.4 will resolve this issue. Workaround with OSX 10.13.3 and below > Change user's default profile picture to one of the included images and reboot (don't know why this works)

I've been testing in 10.13.4 and the issue does not appear to be resolved. Still unable to make our admin account FV accessible without the messy process of adding the account and then running the above commands. Would love to get a nice GUI way of achieving this without having to run these commands from terminal. Anyone else found a better process?

thanks @easyedc this fixed it for me!
Going into the playbook and pinned in slack!

Make sure after FileVault is enabled you follow these instructions

1. Login as admin local account
2. Open System Preferences
3. Open Security & Privacy
4. Select FileVault - There should be a tab at Bottom of the window that says "Allow Users" . Any accounts added after FileVault need to be allowed or they won't show up at the login screen