+7AD Users.
So i have seen this issue on a few of my machines. Were the user is authorized to unlock the machine from file vault but on restart only the local admin is showing up.
Turning File Vault off and back on, on the user i want to be able to get in does work. But thats like a day process.
Anyone else have any thoughts?
Best answer by jalcorn
ok, figured it out. By looking at a lot of other forms. Mostly this one below
https://www.jamf.com/jamf-nation/discussions/25692/high-sierra-10-13-encrypted-users-not-showing-at-filevault-login-screen
I needed to do the following to make it work with an AD account.
Then i ran
sudo rm /var/db/.AppleSetupDone
Restart the computer. This gave me an admin with a secure token. With that i ran
sysadminctl -adminUser "$GUIAdmin" -adminPassword "$GUIAdminPw" -secureTokenOn "$username" -password "$user_password"
In this context, $username (and their password $user_password) is the user you want to provide a secure token to. The $GUIAdmin is an administrator that was created either via a DEP workflow or through the GUI. As has been explained to me, in order to provide a secure token to a user, the account you’re doing this from needs to have a secure token as well.
Thanks to babodee for the above
After that i restarted the mac and it didn't see the AD user. Even though now the user had the token and was no longer showing up as someone who couldn't unlock file vault.
Then with what @koalatee gave me i ran
sudo diskutil apfs updatePreboot /
and we were up and running.
+2We had the same issue on a machine that was upgraded to High Sierra. I know this sounds odd, but we discovered that changing the user's account icon then rebooting did the trick.
+7Saw this on macadmins.slack.com yesterday:
sudo diskutil apfs updatePreboot /Resolved the issue for someone there.
+7ok, figured it out. By looking at a lot of other forms. Mostly this one below
https://www.jamf.com/jamf-nation/discussions/25692/high-sierra-10-13-encrypted-users-not-showing-at-filevault-login-screen
I needed to do the following to make it work with an AD account.
Then i ran
sudo rm /var/db/.AppleSetupDone
Restart the computer. This gave me an admin with a secure token. With that i ran
sysadminctl -adminUser "$GUIAdmin" -adminPassword "$GUIAdminPw" -secureTokenOn "$username" -password "$user_password"
In this context, $username (and their password $user_password) is the user you want to provide a secure token to. The $GUIAdmin is an administrator that was created either via a DEP workflow or through the GUI. As has been explained to me, in order to provide a secure token to a user, the account you’re doing this from needs to have a secure token as well.
Thanks to babodee for the above
After that i restarted the mac and it didn't see the AD user. Even though now the user had the token and was no longer showing up as someone who couldn't unlock file vault.
Then with what @koalatee gave me i ran
sudo diskutil apfs updatePreboot /
and we were up and running.
Issue still resides in OS 10.13.2. Confirmed that changing the user image and restarting corrected the issue for us.
+6@stelteritadmin I tried many of the above steps to fix this issue on 10.13.3, your suggestion worked perfectly. I had the AD users select image for their account... done!
+7btw I finagled/updated @mario 's script and you can run it straight from Self Service. You input the existing secure token username/password, the logged in user's password, and then it enables secureToken, runs the updatePreboot, and adds to Filevault.
+2Confirming that selecting a account image works. Now the question is, can I enforce a default profile pic for all new users? I've never thought to look into it but this crazy solution has me thinking.
+4I just tested the account image and that fixes it. Anyone know of a way to push out a default profile picture? I can only find out how to do it when setting up a new admin account.
+7Is it only one of the default account images? On 10.13.4 and have a user that already has a custom icon, but we are in the same boat.
+36We have a ticket with Apple, where if the first account created on the computer has a Secure Token, but if you hide the account, it breaks Secure Token. Unhiding the account fixes the problem. Apple is checking if hiding a Secure Token enabled account is supposed to break Secure Token for that user.
+4@donmontalvo How were you hiding it?
I noticed the same, by changing the UserShell to /usr/bin/false. Though I hadn't tried unhiding it to see if it's status was restored.
I'm still at a loss for an automated workflow to enable one standard account for filevault use only on 10.14. The best we could do so far was turn on GUI account creation, force a reboot at login with a start up script, then log into the standard account that JAMF created, run the self service policy to prompt the user for the passwords so that gui admin account can grant a token and enable filevault. Then restart again and run another policy that removes the SecureTokenGrantingAccount from Filevault and then change the shells to false for both that account to the FileVaultUnlock Account.
We need an automated way for the JSS Service Account to be granted a token while still keeping it's password random and unknown to all users and techs.
+3Thanks @koalatee the updating of the Preboot worked great. Do you think there is any harm in doing this site wide va shell on all my FileVault computers? I have a localadmin account that does not show up on most vaulted computers despite my UserPolicy change that should have made that happen.
+7Nope, no harm. It just verifies that the users that can unlock Filevault are showing up properly on the FV auth screen.
+36@KrisMallory sorry, totally missed your post. We are using Apple's newest method:
https://support.apple.com/en-us/HT203998
But we are only doing it once an approved user is FileVault 2 enabled.
The Apple ticket was to sort out if the disable when hiding part is intentional or an issue.
HTH,
Don
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
