Skip to main content
Question

Unable to login after upgrading MacOS Ventura with FileVault enabled

  • February 13, 2023
  • 3 replies
  • 84 views
abbiksaha_18
Forum|alt.badge.img+2

Hello,

As a part of the security compliance, we have all our JAMF enrolled Mac devices enabled with FileVault encryption. However, it is noticed on MacOS Ventura that with FileVault encryption enabled we are unable to login with any secondary or mobile account.

The login is only working fine with the primary account login.

As a workaround we can disable FileVault encryption by adding the systems into the exclusion list, but that can be a threat to the devices. 

Can anyone please help with any suggestion on this? Does the FileVault encryption policy require any extra payloads pre/post-defined? 

Thanks in advance.

    3 replies

    T
    Forum|alt.badge.img+19
    • Tribruin
    • Honored Contributor
    • February 13, 2023

    How are the Secondary accounts being created? Accounts needed to be granted a secure token to be able to login in to a computer with FileVault. The first account to LOG IN TO THE COMPUTER is automatically granted a secure token. That is not always the first account created on the computer. (For example if you create and Administrator in a PreStage enrollment.). 

    If your computer is enrolled in Jamf, it will also have a Bootstrap token. Any user that logs in at an O/S login screen (not the Filevault screen) will be granted a secure token and the ability to unlock FileVault the next time the computer is reboot. But that is a chicken-egg scenerio as you need a user who can login to FileVault to unlock the drive, before you can grant another secure token. (There are other ways to grant a secure token, but it typically requires command line access.) 

    What is your use case for an account, other than the primary account having the ability to unlock FileVault. In most cases, the answer is usually "password resets". In that case, the better option is use the FileVault Personal Recovery Key (which you are hopefully escrowing in Jamf as part of your FileVault profile.) Boot to recovery and do a password reset on the user's account. 

    Having a "backdoor" admin account with a SecureToken is a security risk. If you are like most organizations, the password for this account is the same on all computers and is known to a number of people. If that account had the ability to boot to any computer, then, if that password was ever compromised, anyone could log in to any of your corporate computers.  Having to retrieve a PRK from Jamf is at least a hinderance. 

    abbiksaha_18
    Forum|alt.badge.img+2
    • abbiksaha_18
    • Author
    • New Contributor
    • February 16, 2023

    How are the Secondary accounts being created? Accounts needed to be granted a secure token to be able to login in to a computer with FileVault. The first account to LOG IN TO THE COMPUTER is automatically granted a secure token. That is not always the first account created on the computer. (For example if you create and Administrator in a PreStage enrollment.). 

    If your computer is enrolled in Jamf, it will also have a Bootstrap token. Any user that logs in at an O/S login screen (not the Filevault screen) will be granted a secure token and the ability to unlock FileVault the next time the computer is reboot. But that is a chicken-egg scenerio as you need a user who can login to FileVault to unlock the drive, before you can grant another secure token. (There are other ways to grant a secure token, but it typically requires command line access.) 

    What is your use case for an account, other than the primary account having the ability to unlock FileVault. In most cases, the answer is usually "password resets". In that case, the better option is use the FileVault Personal Recovery Key (which you are hopefully escrowing in Jamf as part of your FileVault profile.) Boot to recovery and do a password reset on the user's account. 

    Having a "backdoor" admin account with a SecureToken is a security risk. If you are like most organizations, the password for this account is the same on all computers and is known to a number of people. If that account had the ability to boot to any computer, then, if that password was ever compromised, anyone could log in to any of your corporate computers.  Having to retrieve a PRK from Jamf is at least a hinderance. 


    Hello Tribruin,

    Thanks for the reply.

    Our scenario is as below.

    Mac has local account created on initial setup FileVault is enabled so the local account already has access to FileVault account.

    We logout of the local account and then allow the user to login using domain credentials at which point we are prompted to enter the existing FileVault user account (local account). This allows the new user to get a secure token and is then able to login on the FileVault login screen.

    This process has been going wonderfully for us in MacOS Mojave till MacOS Monterey, but recently when we upgrade or clean wipe machine to MacOS Ventura and then follow through with the usual process and the user is able to login for the first, second time. But after a day or so when they try to login they get stuck on the login screen with the progress bar on 70% completion. The only resolution for me is to remove FileVault on the machine after which the user is able to login to the machine.

    We have also checked the following to confirm that the user has the secure token and comes back with "Secure token is ENABLED for user"

     

    sudo sysadminctl interactive -secureTokenStatus username

     

    R
    Forum|alt.badge.img+14
    • rnoureddine
    • Contributor
    • May 3, 2023

    We ran into the same issue and discovered that this issue mostly happens with users who have received a computer upgrade and had their accounts transferred thru migration assistant. 

    We have tried everything from disabling FileVault for that specific user and re-enabling it to a bunch of other stuff and the only thing that worked every single time was:

    • Login to local admin
    • Navigate to System Preferences > Users & Groups.
    • Select the user's account and click the minus sign [ - ] to remove.
      When prompted, select "Don't change the home folder" YOU MUST SELECT THIS OPTION!
    • Navigate to /Users and rename the old home folder
      For example, previous username was jdoe and new: the folder will appear as jdoe (Deleted), rename to Joe
    • Add new mobile user account
      sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n username
    • If working remotely cache the user's password in terminal or macOS won't let you login
      login username
    • Add new username to admin group via Terminal
      sudo dseditgroup -o edit -a USERNAME -t user admin
    • Log out of local admin.
    • Log in with mobile account (You might get prompted for local admin account to enable FileVault for the mobile account user.)

    Hope this helps

     

    Terms & ConditionsCookie settingsAccessibility statement