Question

Unable to start FileVault

Forum|Forum|1 year ago
June 20, 2024
3 replies
80 views

+3

TheCookieMonsta
New Contributor

I have an asset that was auto-enroll via JAMF connect. However, the asset did not do the filevault encryption eventho the policy is there. I opened up a ticket with the to resolve the problem ont he new devices. However, I still have a few devices lingering with filevault not enable.

I just tried to manually enable one of these assets and then cycle the key. However, it is not letting me.

when I tried with my account. it doesnt take my password or the admin password. if I do it under, a users account it asks for the admin password and the same thing it doenst look like it takes.

This is on a M2 with Ventura (13.6.5)

I know this has to do with the security token not being enable for the account. Not sure how to fix this. any help greatly appreciated.

+26

AJPinto
Legendary Contributor
Forum|Forum|1 year ago
June 20, 2024

Even though this is not likely related, your 1st step needs to get that device up to 14.5. Running N-1 and N-2 builds of macOS is never a good idea.

The only way to get a Secure Token, is from an account that has a Secure Token. However, and admin logging in to macOS interactively should receive a Secure Token automatically. You can script the granting of a Secure Token if you know the username AND password of an account with a Secure Token. Though, scripting passwords is very insecure.

For enabling FileVault, don't have Jamf Connect do it. You need to be enabling FileVault with a Configuration Profile from Jamf Pro (or another MDM), this won't resolve any Secure Token issues, but it will make other things work better.

Like

+16

easyedc
Esteemed Contributor
Forum|Forum|1 year ago
June 24, 2024

Have you checked if you have a Bootstrap Token? If so that would enable you to generate the Secure Token. Apple has some documentation here.

 If not granted a secure token at time of creation, in macOS 11 or later, a local user logging in to a Mac computer is granted a secure token during login if a bootstrap token is available from the MDM solution. Use sysadminctl -h for additional usage instructions.

You can do a quick check on Bootstrap Token status, which will help you get a Secure Token, by running some commands.

sudo profiles status -type bootstraptoken
sudo profiles validate -type bootstraptoken


sudo profiles install -type bootstraptoken

And if all else fails, wipe and reload.

Like

+16

easyedc
Esteemed Contributor
Forum|Forum|1 year ago
June 24, 2024

Have you checked if you have a Bootstrap Token? If so that would enable you to generate the Secure Token. Apple has some documentation here.

 If not granted a secure token at time of creation, in macOS 11 or later, a local user logging in to a Mac computer is granted a secure token during login if a bootstrap token is available from the MDM solution. Use sysadminctl -h for additional usage instructions.

You can do a quick check on Bootstrap Token status, which will help you get a Secure Token, by running some commands.

sudo profiles status -type bootstraptoken
sudo profiles validate -type bootstraptoken


sudo profiles install -type bootstraptoken

And if all else fails, wipe and reload.

Jamf should have a line entry for your Mac if Bootstrap Token is escrowed (Inventory Tab > Security). I also have an EA running to check which users have a Secure Token

#!/bin/sh

#  Secure Token Enabled Users.sh
#  
#
#  Created by Ed C on 7/13/21.
#  
AllUsers=$(dscl . list /Users | grep -v _)

for EachUser in $AllUsers; do

TokenValue=$(sysadminctl -secureTokenStatus $EachUser 2>&1)

echo "Checking $EachUser"
    if [[ $TokenValue = *"ENABLED"* ]]; then
    SecureTokenUsers+=($EachUser)
    fi
done

    if [[ -z "${SecureTokenUsers[@]}" ]]; then
        echo "<result>No Users</result>"
        else
        printf '%s,' '<result>'"${SecureTokenUsers[@]}"'</result>'
    fi
    
exit

Like

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded