Jamf Nation Community

andrew_nicholas · ‎11-08-2016

I've noticed an issue with 10.11.6 machines that have AD mobile accounts and FV2 enablement where the FV2 password doesn't sync with a system driven PW change until a fresh log in is performed. This happened next to never before 10.11.6, but since that update I seem to have had a number of users report not being able to login to their machines unless they use their previous password, and then there is a lag until they log in from a clean login screen and perform the keychain password update. Has anyone seen anything similar? My testing of 10.12.1 does not appear to demonstrate this issue.

AVmcclint · ‎11-08-2016

Come to think of it, I have seen a greater lag with syncing the FV password since going to 10.11.6. Before 10.11.6, as long as users properly changed their password via System Preferences > users & groups, then wait 30 seconds or so, then restart the computer, it will accept their new password at the FV login. Since 10.11.6, I've had a couple users go DAYS before the passwords sync up no matter how long they wait or how many times they restart their computers. It took 2 full weeks to sync for one user! So far i'm just living with it since there's no way to force it to sync other than using fdesetup to remove a user from FV then re-add them with their new password.

mlavine · ‎11-08-2016

I can assure you that this is a longstanding issue with FileVault, at least the first part of your post. What you are describing is perfectly normal. Whenever a user resets their password I always instruct them to log out, then back in, then restart, so I can be sure that the change took.

I might know what is causing the other part of your problem, the part about some password never syncing.

I found that if the key for "DestroyFVKeyOnStandby" is enabled then there are some issues syncing the passwords.

Open System Information on one of the afflicted Macs and look at what MCX keys are being applied and check if that key is enabled.

Here is some more info on the bug:
http://www.openradar.me/16410396

andrew_nicholas · ‎11-08-2016

I agree, the problems definitely well known, but it just seems so much more prevalent in 10.11.6. The account password and FV password do sync if they perform a log in while on a wired connection from the main login screen, but it's pretty problematic for remote users and those who only want to use wireless. Thanks for that bug report!

andrew_nicholas · ‎11-11-2016

So I just realized fdesetup has a sync flag to synchronize FV2 user info. Not sure if this will help but I'll create a script and enable in SS as a test for users who may experience the issue. If it works well I may just add it into the regular inventory update.

AVmcclint · ‎11-11-2016

@andrew.nicholas I've been told repeatedly that the fdesetup sync does NOT do what you'd think it does. I've had minor success in running that command but nothing that I can say was repeatable and reliable in these situations. For all I know, any successes were purely coincidental.

bentoms · ‎11-14-2016

@andrew.nicholas & @AVmcclint H/T @rtrouton fdesetup sync - fdestups misunderstood command

andrew_nicholas · ‎11-16-2016

As expected the sync command did not offer a solution, but in testing I've come to see that the AD password change and FV2 login screen sync issue does actually appear to be present in 10.12.1. as well.

Another thing I noticed is that this problem may also affect local accounts. I've been testing the use of local accounts and the ~pwpolicy~ command and .plist to enforce similar requirements as those by our AD, and the sync issue appears with these accounts as well when using 10.11.6, however not for 10.12.1. I've filed a bug report just in case but I'm curious if anyone else might have experienced something similar with local accounts.

Jamf Nation Community

10.11.6 AD Password Change Issues