10.14.4 Update - Active Directory Password/Filevault Syncing Fixes & Improvements

Contributor III

Hey Guys,

I wanted to share some of my testing results around password fixes in the Mojave 10.14.4 Update.

The Mojave 10.14.4 update was pretty big because it finally fixed some serious Active Directory password syncing problems in 10.14.0. The problems were serious enough, that companies started to move away from Active Directory Mobile Accounts to Local Accounts. The problems actually started in 10.13.0 High Sierra but were made even worse once 10.14 was released.

10.14.0-10.14.3 Issues.

1 - If you changed your AD password outside the Mac the following would happen.

A. Your FileVault password would never sync. You would have to boot up the system with your old password.
B. Your Offline Cached Password would never sync. When away from the Directory only your old password would let you login. Once you logged in with your old password your keychain would be out of sync.

2 - If you forgot your AD password

A. The system could never sync your password again. You would be forced to boot the system with the Recovery Key.
B. If that user was the only SecureToken user on the system you don't have any options to fix the problem.
C. If you had a SecureToken Admin on the system you were forced to do the following. Remove and re-add the users SecureToken or use fdesetup to turn off then back on FV2 enablement for that account.

As you can see this is a complete mess. No wonder everyone is moving away from Mobile Accounts.
The good news is all of the above items are now fixed in macOS Mojave 10.14.4!!!
In the same update a funny thing happened, password resets for Local Accounts booting from the Recovery Key to the login window broke! Local Accounts are not as invincible after all! ;)

If you would like to dive deeper into these fixes and how they work I put together an article for each situation.

1 - If you changed your AD Password outside of the Mac, it will now sync properly to the local offline cache and FileVault.

2 - If you forgot your AD password, macOS can now sync your new AD password down to Filevault! This is a brand new feature!

3 - 10.14.4 breaks Local Account Password resets at the login window booting from the Recovery Key.


New Contributor III

These are great news!
Hope the fix survives the next updates...

Contributor III

Yes, this is why testing in Beta releases is so important. Things can break between releases as we found with the local account password function breaking.

I think the biggest test will come in 10.15. Will all of the mechanisms still work? This is exactly what happened from 10.12 to 10.13, everything that had to do with Active directory straight up did not work properly. Things were not really fixed until 10.13.4.

I just hope these fixes stand until the end of Mojave's release!

The only way to know for sure is to dig in and do some serious testing when 10.15 beta 1 hits.