Jamf Nation Community

MacRobi-Daniel · ‎08-28-2023

Hi

We have a customer with managed Apple MacBook Pro 16" (M2 Pro, 32GB, 512GB).

As a backup solution they use the Synology Active Backup for Business solution with the Mac agent.

I face problems with the creation of the hidden user, which is need for backup tasks, etc.

URL: https://kb.synology.com/en-me/DSM/tutorial/Backup_failed_because_of_hidden_user_issues

The creation of this hidden user fails, when the password of a filevault enabled user is needed.

Steps I tried already are:

- Changing the user password to a simple one (No special characters only letters and numbers)

- Used administrator account with filevault transfered token.

- Tried the root account with filevault transfered token.

I didn't disable Filevault, as this would be my last option.

Did somebody faced this problem or a similar one? Does someone has a suggestion?

Thank you

Kind regards

Daniel

MacRobi-Daniel · ‎10-03-2023

Hi

I was finally able to solve the issue.

The Agent from Synology runs a script. That script creates a hidden user with a hidden password. That hidden password didn't meet the complexity requirement from the Jamf Now policy. Once I edited the policy to not include symbols, everything worked as expected.

Kind regards

Daniel

View solution in original post

AJPinto · ‎08-29-2023

You probably need to reach out to the vendor for advice and guidance. This sounds like a quark or issue with their application, not with macOS or JAMF. They are probably needing past disk encryption, which is a lot easier said then done.

FileVault uses tokens, and there are only a couple of ways to get a FileVault Token.

The main method to get a FileVault token is to have the account on the device when FileVault is enabled, this is the only "automated" way to get a FileVault token.
Any Account created AFTER FileVault has been enabled will need a FileVault Token manually granted to it. In order to grant a FileVault Token, you need the username and password of a current FileVault Token holding account. This can be scripted, if you have the credentials of a FileVault Token holding account.

I am guessing the issues you are seeing involving FileVault involve the application needing a FileVault/Secure Token. The only way to grant a FileVault/Secure Token is if you know the username and password of an Account that already has a FileVault/Secure Token.

MacRobi-Daniel · ‎08-29-2023

Hello AJ

The logged in user has a secure token. The application tells me to enter the credentials of a filevault enabled user.

On a machine without enabled remote management it works fine. Only with Jamf managed devices it doesn't work.

Synology said, it's an issue with Jamf. You tell me it's an issue with Synology..

I will disable filevault and test it again, if the creation of the user still fails I know it's an issue with Synology. If it works I know it's an issue with filevault or Jamf.

Kind regards

Daniel

MacRobi-Daniel · ‎10-03-2023

Hi

I was finally able to solve the issue.

The Agent from Synology runs a script. That script creates a hidden user with a hidden password. That hidden password didn't meet the complexity requirement from the Jamf Now policy. Once I edited the policy to not include symbols, everything worked as expected.

Kind regards

Daniel

Jamf Nation Community

Problems with Synology Active Backup for Business Agent