Help

10.13/10.4 SecureToken Active Directory Fun

rcurran
Contributor

Posted on ‎03-12-2019 10:40 AM

Greetings,

Occasionally we run into an instance where a FileVault enabled AD user using a mobile account changes their password somewhere other than System Preferences.

FileVault expectedly falls out of sync, and we have a variety of workarounds, especially if the OLD password is working.

But many times it is not, and currently I have a system that will not generate a secure token for any user on the system. We've decrypted, updated to 10.14, and tried getting a new SecureToken by blasting the .AppleSetupDone file and creating a new account but nothing gives in this instance, which is strange because while its a last resort, removing the AppleSetup file has worked in the past.

Any tips are appreciated (besides stop using AD binding lol)

4 REPLIES 4

rcurran
Contributor

Posted on ‎03-12-2019 10:55 AM

Just saw/trying this out

https://derflounder.wordpress.com/2019/02/10/re-syncing-local-account-passwords-and-secure-token-on-filevault-encrypted-macs-running-macos-mojave/

0 Kudos

sshort
Valued Contributor

Posted on ‎03-12-2019 11:04 AM

Do you have a local user with secureToken? https://github.com/ducksrfr/mac_admin/blob/master/scripts/Mojave_FileVault_Sync.sh

0 Kudos

rcurran
Contributor

Posted on ‎03-12-2019 11:06 AM

Nope. No users on the system have a secure token atm.

0 Kudos

bradtchapman
Valued Contributor II

Posted on ‎03-13-2019 02:12 PM

Yeah you’re pretty much screwed. Use the escrowed FV2 token to unlock the disk, decrypt, and reëncrypt.

You can keep binding to AD if you need to deploy wireless certificates to the computer. But for love of all that is holy: stop using network mobile accounts. Convert them to local and install NoMAD, Enterprise Connect, or Jamf Connect.

0 Kudos