10.13.2 - Add management account to FV broken

dcgagne
Contributor

In a not entirely unexpected event, the Jamf policy to add the management account to FileVault no longer works on APFS volumes. Executing the policy shows the following in the terminal with verbose output:

Error: Added users failed error. Error adding user to FileVault: Added users failed error.

It's odd this ever worked on APFS in the first place. The management account would previously be added and show on the preboot screen, but when you checked the token status with "sysadminctl -secureTokenStatus $jamfmanagement" it would show as not authorized.

Looks like the loophole has been closed.

5 REPLIES 5

dgreening
Valued Contributor II

I am pretty astounded that not a whole lot of High Sierra specific functionality to address changes made by Apple has made its way into Jamf... You can however use sysadminctl to grant the management user a secureToken, and by doing that, enable them for FileVault.

Taylor_Armstron
Valued Contributor

@dgreening ... can you elaborate on how to use sysadminctl to add the mgmt account to FV? Looking at doing that, and we're still on 10.12 FWIW, so no issue with this update breaking it at the moment.

dcgagne
Contributor

That would certainly do it. In our environment we would only enable the management account on demand to manipulate FileVault without user intervention. But thanks to secure token that is effectively a dead procedure for APFS volumes.

@Taylor.Armstrong

The account can be added from another account that already has a secure token assigned. I have a thread here that covers the process through a scripted event that prompts for credentials. Unfortunately this can't be automated unless you have a known account with a known password consistent across your environment.

dgreening
Valued Contributor II

That would be something like this:

#!/bin/sh
sysadminctl -adminUser techuser -adminPassword techpassword -secureTokenOn manuser -password manuserpassword

You have to use the credentials of a user which already has a secureToken (this is going to be the 501 user on new High Sierra installs) to grant additional users secureTokens. After you grant additional users secureTokens, those additional users should be able in turn to grant secure tokens to other users.

Taylor_Armstron
Valued Contributor

Appreciate it. Think we can make it work for our needs with a little bit of intervention for some remote sites.