!!!A Reliable FIX!!! for FileVault 2 Password Sync Issue.....

kishoth_p
New Contributor III

Hi All,

This worked for me...Hence I am sharing this to all the admins out there who is looking for a permanent solution of never ending AD Password Sync Issue with FileVault..
First let's spit the scenarios..
Scenario 1 (Mac User who is aware of his/her old AD password) FV2 Enabled
Scenario 2(Mac User who is not aware of his/her old AD password) FV2 Enabled

Scenario 1:-
(Mac User who is aware of his/her old AD password) FV2 enabled

Step 1 - Check the Securetoken status of the AD Mobile Account sysadminctl -secureTokenStatus username_goes_here
If it's disabled follow this article to enable the secure token https://derflounder.wordpress.com/2018/01/20/secure-token-and-filevault-on-apple-file-system/
By any chance if you receive any Operation not permitted error while enabling securetoken. Simply go to system preferences>Security & privacy > Unlock using admin credentials > Select Filevault > You will notice the following Alert "Some users are not able to unlock the disk |Enable Users|" Click Enable Users. It will pass the securetoken to ADmob account successfully.

Step 2 - Once the Securetoken is enabled for AD Mobile Account, execute the below commands
sudo fdesetup list | grep $USER #where $user is the name of the user out of sync
It will return

USER,27E97FDA-252E-1D28-97E2-E11278DB2D21
then copy the long UUID and enter:

diskutil apfs changePassphrase disk1s1 -user 27E97FDA-252E-1D28-97E2-E11278DB2D21
You will be prompted for the old password and the current password.
It will return Passphrase successful.

If you receive any further errors, please post here I will look into it and help you further.

Step 3 - Perform a restart and check whether the new password is updated and you are able to login.

Step 4 - If the above 3 steps didn't fix the issue. Please inform the user to drive back to office > connect the mac to enterprise (LAN) network by which it will communicate to the AD Domain Controllers & servers. This step is very important

Step 5 - Launch Self Service & run the AD UnBind Policy to remove the mac from the AD domain FYR....(The script is one liner "/usr/sbin/dsconfigad -remove -username "NotReal" -password "NotReal" -force")

Step 6 - Scope the AD Bind policy and run it from self service. Note:- Add the following command "sleep15 && sudo pkill loginwindow" under Files & Processes. The policy will first bind the mac to AD and immediately logs out.
Please leave the macbook connected to LAN port at login screen for 15-30 min depending on your DC geolocation and mac location. The password sync will try to re-attempt and it should get updated at the backend.

Step 7 - Then check out for any lockouts of the user AD account and try logging in with the new password.. It should definitely go through and the system will prompt for 2 options Create New Keychain or Update Keychain Password... Please select "Create New Keychain" your login will succeed.

Step 8 - Once you have logged in, please lock the mac and try unlocking using the new password. By which you will have the confirmation that password sync is updated on keychain level.

Step 9 - Perform a restart and verify the same. Now the FileVault 2 will be aware of your new password and it should go through without any issues.

By following the above steps I was able to resolve one of the user FV2 password sync issue which was pending for close to 6-7 months...I wish it will work for you as well..Let me know your attempt status..

Scenario 2(Mac User who is not aware of his/her old AD password) FV2 Enabled

I have copied the same step from Step 4 to 9... Please follow the same and let me know if you face any issues..

Step 1 - Please inform the user to drive back to office > connect the mac to enterprise (LAN) network by which it will communicate to the AD Domain Controllers & servers.

Step 2 - Launch Self Service & run the AD UnBind Policy to remove the mac from the AD domain FYR....(The script is one liner "/usr/sbin/dsconfigad -remove -username "NotReal" -password "NotReal" -force")

Step 3 - Scope the AD Bind policy and run it from self service. Note:- Add the following command "sleep15 && sudo pkill loginwindow" under Files & Processes. The policy will first bind the mac to AD and immediately logs out.
Please leave the macbook connected to LAN port at login screen for 15-30 min depending on your DC geolocation and the mac location the password sync will try to re-attempt and it should get updated at the backend.

Step 4 - Check out for any lockouts of the user AD account and try logging in with the new password.. It should definitely go through and the system will prompt for 2 options Create New Keychain or Update Keychain Password... Please select "Create New Keychain" your login will succeed.

Step 5 - Once you have logged in, please lock the mac and try unlocking using the new password. By which you will have the confirmation the password sync is updated.

Step 6 - Perform a restart and verify the same. Now the FileVault 2 will be aware of your new password and it should go through without any issues.

Regards, Kishoth P

23 REPLIES 23

obi-k
Valued Contributor III

This helped us. Thank you so much.

**Step 2 - Once the Securetoken is enabled for AD Mobile Account, execute the below commands
sudo fdesetup list | grep $USER #where $user is the name of the user out of sync
It will return

USER,27E97FDA-252E-1D28-97E2-E11278DB2D21
then copy the long UUID and enter:

diskutil apfs changePassphrase disk1s1 -user 27E97FDA-252E-1D28-97E2-E11278DB2D21
You will be prompted for the old password and the current password.
It will return Passphrase successful.**

Matt_Ellis
Contributor II

Honestly, unless you have a very very good reason to bind macs to AD don't. If you are using Azure AD look at JAMF Connect it will solve all these problems as well.

Jamftechelp
New Contributor II

Thank you so much ! Its worked for me as well.
Now i created self service policy for whom FileVault password is out of Sync.

#/bin/bash
#Get the current user details 

currentUser=$(who | awk '/console/{print $1}')

#Get the user UUID number 

userNameUUID=$(dscl . -read /Users/$currentUser/ GeneratedUID | awk '{print $2}')

#Get the user's Old password  

oldPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter your Old login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"

#Get the user's New password  

newPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter your New login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"

diskutil apfs changePassphrase disk1s1 -user $userNameUUID -oldPassphrase $oldPass -newPassphrase $newPass

sudo jamf recon

easyedc
Valued Contributor II

+1 for not binding and relying on a tool like Apple's Enterprise Connect if you're on local AD or Jamf Connect if you're Azure AD. Binding is a big bag of hurt and Apple has recommended not using it for at least as far back as 5 years. Go to your infosec and make them really justify why. Remember, these aren't windows boxes.

dgreening
Valued Contributor II

@easyedc "Remember, these aren't windows boxes." As if that ever resonated at orgs that are Windows heavy... "Why can't Macs just work like Windows machines??"

Scelza
New Contributor

@Jamftechelp This helped immensely! The only changes I made to it are adding quotes around the password variables because if a user has a space in one of their passwords, it will be interpreted as another piece of the diskutil command and error out.

-oldPassphrase "$oldPass" -newPassphrase "$newPass"

 

roach
New Contributor III

@Jamftechelp Have you run this on M1 silicon yet? I am getting an error message:

Changing passphrase for cryptographic user 0000000-00000-000 on APFS Volume disk1s1
Error changing passphrase for cryptographic user on APFS Volume: The given APFS Volume is not encrypted (-69593)

 FileVault is encrypted. Would it be referring to one of the partitions not being encrypted?Screen Shot 2022-03-30 at 1.06.02 PM.png

stevewood
Honored Contributor II
Honored Contributor II

@roach 

The script has a hardcoded value for the disk identifier. You would want to verify that is the proper identifier for an M1. On my two M1 devices 'disk1s1' is not present, and instead the APFS container that holds "Macintosh HD" and "Data" is 'disk3'. So 'disk3s1' might work for my machines, but I would not hard code that value. You should find a way to programmatically determine which APFS container (and volumes) are encrypted.

Ideally you would begin unbinding your devices from AD and deploy Jamf Connect or NoMAD, especially given the upcoming Microsoft patch in July that will break binding.

roach
New Contributor III

@stevewood 

I double checked the disk identifier for "Macintosh HD - Data" on the last 2 MacBook Pros (Intel) I ran a similar script (see below) on, and they were both 'disk1s1'. My own MacBook Pro (Intel) is 'disk1s6'.

I came up with this: 

 

 

#Get the Disk identifier
diskName=$(diskutil list | awk '/Macintosh HD - Data/{print $NF}')


diskutil apfs changePassphrase $diskName -user $userNameUUID -oldPassphrase $oldPass -newPassphrase $newPass

 

 

I ran it without errors but it didn't work. Not to make this convoluted, but I prefer a similar script from:https://community.jamf.com/t5/jamf-pro/filevault-not-syncing-ad-password/m-p/121380/highlight/true#M... which is the one I ran on the Intels. It double checks your new password, and it gives you a confirmation if the password sync is successful. I did post on that thread, but no one responded.
I plugged in my get disk identifier with this script, but I get this error:

 

 

Could not find disk for -user
HELPER=0Exit Code: Password could not be changed. Is the old password correct?

 

 




 

stevewood
Honored Contributor II
Honored Contributor II

@roach 

Well, you did half the leg work, actually more than half. Try this for finding the identifier:

diskName=$(diskutil list | grep 'Macintosh HD' | awk {'print $NF'})

The method you had did not provide any output when I ran it on my M1 device. 

easyedc
Valued Contributor II

So in the past you had to pay for tools like Enterprise Connect or Jamf Connect.  Now that Apple's basically taken Enterprise Connect and baked it into the OS with Kerberos SSO, that's a simple win.  It can handle password synchronization for you with ease. Follow the instructions doc that Apple has and throw that into your JSS.  Works pretty well. We haven't moved to full Azure AD so paying for Jamf Connect isn't necessary for us yet.  

pc
New Contributor

This worked for me. Plus ensure that the localadminname has securetoken access.

sysadminctl -secureTokenOff username -password - -adminUser localadminname -adminPassword -
sysadminctl -secureTokenOn username -password - -adminUser localadminname -adminPassword -
reboot

With these commands, you will be prompted for the username password and the localadminname password to complete the task.
 

sharif_khan
Contributor II

Hi @kishoth_p 

I am getting following error when I ran @Jamftechelp's script. I also tried with the command: 

diskutil apfs changePassphrase disk1s1 -user "UUID" -oldPassphrase "old Password" -newPassphrase "newPass" from terminal got same error: Changing passphrase for cryptographic user "UUID which get from step 2 command" on APFS Volume disk1s1 Error changing passphrase for cryptographic user on APFS Volume: The given APFS Volume is not encrypted (-69593). I also ran Step 1 command and confirmed that Secure token is ENABLED for user who I am trying to change password. BTW for your information I implemented NoMad and NoMad Login and our machines are not bind.

 

So PLease suggest on this how we can workable to synch local Password & Filevault password with AD after change passowrd. Please help me.

I have seen the same thing on newer Apple Silicon hardware where they use an APFS container instead of just the simple partition formats.  It seems that might only work on older formatting types.  

Others seem to use fdesetup to remove and then re-add the user and they said that will resync but I haven't tested this yet.

sudo fdesetup remove -user SHORTNAME

sudo fdesetup add -usertoadd SHORTNAME

 

rstasel
Valued Contributor

omg, I think this just solved an issue we'd been having without bind even in the mix... 

sharif_khan
Contributor II

I fix this issue in our environment.

johntgeck
Contributor

Super helpful! We just rolled FV2 out in our district and I've seen a couple one-off issues with AD binding / password syncing with Enterprise Connect. These instructions fixed the issue for me. Thanks!

Edu
New Contributor

But the solution indicated here is the definitive solution and when the password is changed again, the problem does not occur again?
or every time the password is changed the problem occurs again and you have to do what is indicated here again.

amendoza1011
New Contributor

I keep getting another option and I'm not sure what to do

The default interactive shell is now zsh.

To update your account to use zsh, please run `chsh -s /bin/zsh`.

For more details, please visit https://support.apple.com/kb/HT208050.

Computer Name:~ username$ diskutil apfs changePassphrase disk1s1 -user,83F498FD-8F34-4C0B-812B-6CC05FEC180F

Usage:  diskutil apfs changePassphrase|changeCryptoUserPassphrase|passwd

        <apfsVolumeDisk> -user disk|<cryptoUserUUID>

        [-oldPassphrase <passphrase> | -oldStdinpassphrase]

        [-newPassphrase <passphrase> | -newStdinpassphrase]

        where <apfsVolumeDisk> = APFS Volume DiskIdentifier

              <cryptoUserUUID> = user whose passphrase to change

              <oldPassphrase> = existing password (else interactive prompt)

              <newPassphrase> = new password (else interactive prompt)

Change the passphrase of an existing cryptographic user; you can specify

"disk" for the "Disk" user.

Ownership of the affected disks is required.

Example:  diskutil apfs changePassphrase disk5s1 -user <UUID>

stevewood
Honored Contributor II
Honored Contributor II

You appear to have a comma between -user and the user ID. Try removing that comma. 

diskutil apfs changePassphrase disk1s1 -user 83F498FD-8F34-4C0B-812B-6CC05FEC180F

I got the same response after I removed the comma. I'm unsure if something changed with Ventura because I'm on an M2 Mac.

Last login: Wed Aug  9 07:28:35 on ttys000

computer name ~ % diskutil apfs changePassphrase disk1s1 -user 83F498FD-8F34-4C0B-812B-6CC05FEC180F

Usage:  diskutil apfs changePassphrase|changeCryptoUserPassphrase|passwd

        <apfsVolumeDisk> -user disk|<cryptoUserUUID>

        [-oldPassphrase <passphrase> | -oldStdinpassphrase]

        [-newPassphrase <passphrase> | -newStdinpassphrase]

        where <apfsVolumeDisk> = APFS Volume DiskIdentifier

              <cryptoUserUUID> = user whose passphrase to change

              <oldPassphrase> = existing password (else interactive prompt)

              <newPassphrase> = new password (else interactive prompt)

Change the passphrase of an existing cryptographic user; you can specify

"disk" for the "Disk" user.

Ownership of the affected disks is required.

Example:  diskutil apfs changePassphrase disk5s1 -user <UUID>

computer name ~ %

stevewood
Honored Contributor II
Honored Contributor II

I would verify you have the right UUID for a cryptographic user and volume ownership. The following DataJAR articles talks about how:

https://support.datajar.co.uk/hc/en-us/articles/4409474136465-Verifying-cryptographic-users-and-volu...

 

mdepaauw
New Contributor

We use this script like this and this is how it works Universal (Intel and ARM) in our environment 

#/bin/bash
#Get the current user details

currentUser=$(who | awk '/console/{print $1}')

#Get the user UUID number

userNameUUID=$(dscl . -read /Users/$currentUser/ GeneratedUID | awk '{print $2}')

#Get DiskInfo

diskNumber=$(diskutil apfs list| grep "APFS Container Reference:" |awk '{print$4}')

#Get the user's Old password

oldPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter your Old login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"

#Get the user's New password

newPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter your New login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"

diskutil apfs changePassphrase $diskNumber"s1" -user $userNameUUID -oldPassphrase $oldPass -newPassphrase $newPass

jamf recon