10.13/10.4 SecureToken Active Directory Fun

rcurran
Contributor

Greetings,

Occasionally we run into an instance where a FileVault enabled AD user using a mobile account changes their password somewhere other than System Preferences.

FileVault expectedly falls out of sync, and we have a variety of workarounds, especially if the OLD password is working.

But many times it is not, and currently I have a system that will not generate a secure token for any user on the system. We've decrypted, updated to 10.14, and tried getting a new SecureToken by blasting the .AppleSetupDone file and creating a new account but nothing gives in this instance, which is strange because while its a last resort, removing the AppleSetup file has worked in the past.

Any tips are appreciated (besides stop using AD binding lol)

4 REPLIES 4

rcurran
Contributor

Just saw/trying this out

https://derflounder.wordpress.com/2019/02/10/re-syncing-local-account-passwords-and-secure-token-on-filevault-encrypted-macs-running-macos-mojave/

sshort
Valued Contributor

rcurran
Contributor

Nope. No users on the system have a secure token atm.

bradtchapman
Valued Contributor II

Yeah you’re pretty much screwed. Use the escrowed FV2 token to unlock the disk, decrypt, and reëncrypt.

You can keep binding to AD if you need to deploy wireless certificates to the computer. But for love of all that is holy: stop using network mobile accounts. Convert them to local and install NoMAD, Enterprise Connect, or Jamf Connect.