We are working on getting FileVault enabled. I have the process working on several test Catalina devices. However, we have a single device that even though it prompts the user for their password to enable FileVault, it never actually enables. One thing I have noticed that is unique on this one device is that there are 3 partitions,
while all the others that do not have trouble have 2 partitions.
Could this be the issue? Or is there something else going on?
One thing I just realized... the other devices I have tested on so far came with Catalina pre-installed. The one device that is giving me trouble, had Mojave installed and was upgraded to Catalina prior to me trying to enable FileVault... I"m not sure if that makes a difference.
Does the user account being used to enable FileVault have a Secure Token?
diskutil apfs listcryptousers /
dscl . list /Users GeneratedUID
If not, you'll see the error you described (and I ran into previously).
@jtrant There is not a SecureToken assigned to the user. The only SecureToken is assigned to the "admin" user account. What do I need to do to fix this?
This means the 'admin' user is the only account that can grant Secure Tokens and/or enable FileVault. Logging in and back out as the 'admin' user should successfully begin FileVault encryption.
You should also enable the additional users in the FileVault tab under Security & Privacy (while logged in as admin) as this will grant them a Secure Token.
I finally got it working. Thanks for pointing me in the right direction. I had to log into the admin account and run the following command:
$sysadminctl -adminUser "$GUIAdmin" -adminPassword "$GUIAdminPw" -secureTokenOn "$username" -password "$user_password"Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.