I can also confirmed it works in 10.13.5. Initially this didn't work, so I recreated the plist and added it back to the config profile and now it works.

Thanks @mconners and @cubandave .
It sucks because i pointed out how stupid this was in the 10.13.4 beta to Apple Enterprise Support, and they told me that 10.13.5 fixed it, but 10.13.4 Final wasn't even released yet... pisses me off. I'm afraid we may not have any 'real' fix for 'SecureToken' and Mobile accounts until 10.14, which sucks since we have all hammered them on it since early 10.13

I'm not sure what just happened, I was testing the config profile by @dpertschi but somehow I mis scoped it, but before I realized that, I noticed that the newly dep provisioned machine with 10.13.5 didnt ask for the Secure Token, I tried to use multiple accounts, AD, and Local, and non of them showed the Secure Token thing. I double checked if the profile is installed, and its not there, and just to be double sure, I wiped the machine, removed all scope on my config profile, reprovisioned it, and, it still didnt ask for the Secure Token for all kinds of user I logged in. Does anybody experienced this? Although it didnt asks for the secure token, all the users I logged in still have Secure Token disabled when I ran sysadminctl -secureTokenStatus username.

@Eigger one admin must have a secure token before that message comes up when creating AD mobile accounts. Run diskutil apfs listcryptousers / what do you get?

@cubandave I get "No cryptographic users for disk1s1." Until now, I logged in other users and they all didn't show SecureToken thing. Wierd.

@Eigger

In that case you can enable secureToken with the existing user so long as they are admin
sysadminctl -secureTokenOn < administrator user name > -password < administrator password > -adminUser <administrator user name> -adminPassword <administrator password>

You do not need to using the password in plain text. you can pass - instead

More information is available with sysadminctl -help