Skip to main content
Question

!!!A Reliable FIX!!! for FileVault 2 Password Sync Issue.....

  • April 9, 2021
  • 24 replies
  • 623 views
K
Forum|alt.badge.img+3

Hi All,

This worked for me...Hence I am sharing this to all the admins out there who is looking for a permanent solution of never ending AD Password Sync Issue with FileVault..
First let's spit the scenarios..
Scenario 1 (Mac User who is aware of his/her old AD password) FV2 Enabled
Scenario 2(Mac User who is not aware of his/her old AD password) FV2 Enabled

Scenario 1:-
(Mac User who is aware of his/her old AD password) FV2 enabled

Step 1 - Check the Securetoken status of the AD Mobile Account sysadminctl -secureTokenStatus username_goes_here
If it's disabled follow this article to enable the secure token https://derflounder.wordpress.com/2018/01/20/secure-token-and-filevault-on-apple-file-system/
By any chance if you receive any Operation not permitted error while enabling securetoken. Simply go to system preferences>Security & privacy > Unlock using admin credentials > Select Filevault > You will notice the following Alert "Some users are not able to unlock the disk |Enable Users|" Click Enable Users. It will pass the securetoken to ADmob account successfully.

Step 2 - Once the Securetoken is enabled for AD Mobile Account, execute the below commands
sudo fdesetup list | grep $USER #where $user is the name of the user out of sync
It will return

USER,27E97FDA-252E-1D28-97E2-E11278DB2D21
then copy the long UUID and enter:

diskutil apfs changePassphrase disk1s1 -user 27E97FDA-252E-1D28-97E2-E11278DB2D21
You will be prompted for the old password and the current password.
It will return Passphrase successful.

If you receive any further errors, please post here I will look into it and help you further.

Step 3 - Perform a restart and check whether the new password is updated and you are able to login.

Step 4 - If the above 3 steps didn't fix the issue. Please inform the user to drive back to office > connect the mac to enterprise (LAN) network by which it will communicate to the AD Domain Controllers & servers. This step is very important

Step 5 - Launch Self Service & run the AD UnBind Policy to remove the mac from the AD domain FYR....(The script is one liner "/usr/sbin/dsconfigad -remove -username "NotReal" -password "NotReal" -force")

Step 6 - Scope the AD Bind policy and run it from self service. Note:- Add the following command "sleep15 && sudo pkill loginwindow" under Files & Processes. The policy will first bind the mac to AD and immediately logs out.
Please leave the macbook connected to LAN port at login screen for 15-30 min depending on your DC geolocation and mac location. The password sync will try to re-attempt and it should get updated at the backend.

Step 7 - Then check out for any lockouts of the user AD account and try logging in with the new password.. It should definitely go through and the system will prompt for 2 options Create New Keychain or Update Keychain Password... Please select "Create New Keychain" your login will succeed.

Step 8 - Once you have logged in, please lock the mac and try unlocking using the new password. By which you will have the confirmation that password sync is updated on keychain level.

Step 9 - Perform a restart and verify the same. Now the FileVault 2 will be aware of your new password and it should go through without any issues.

By following the above steps I was able to resolve one of the user FV2 password sync issue which was pending for close to 6-7 months...I wish it will work for you as well..Let me know your attempt status..

Scenario 2(Mac User who is not aware of his/her old AD password) FV2 Enabled

I have copied the same step from Step 4 to 9... Please follow the same and let me know if you face any issues..

Step 1 - Please inform the user to drive back to office > connect the mac to enterprise (LAN) network by which it will communicate to the AD Domain Controllers & servers.

Step 2 - Launch Self Service & run the AD UnBind Policy to remove the mac from the AD domain FYR....(The script is one liner "/usr/sbin/dsconfigad -remove -username "NotReal" -password "NotReal" -force")

Step 3 - Scope the AD Bind policy and run it from self service. Note:- Add the following command "sleep15 && sudo pkill loginwindow" under Files & Processes. The policy will first bind the mac to AD and immediately logs out.
Please leave the macbook connected to LAN port at login screen for 15-30 min depending on your DC geolocation and the mac location the password sync will try to re-attempt and it should get updated at the backend.

Step 4 - Check out for any lockouts of the user AD account and try logging in with the new password.. It should definitely go through and the system will prompt for 2 options Create New Keychain or Update Keychain Password... Please select "Create New Keychain" your login will succeed.

Step 5 - Once you have logged in, please lock the mac and try unlocking using the new password. By which you will have the confirmation the password sync is updated.

Step 6 - Perform a restart and verify the same. Now the FileVault 2 will be aware of your new password and it should go through without any issues.

Regards, Kishoth P

24 replies

mvu
Forum|alt.badge.img+20
  • mvu
  • Jamf Heroes
  • 963 replies
  • May 13, 2021

This helped us. Thank you so much.

**Step 2 - Once the Securetoken is enabled for AD Mobile Account, execute the below commands
sudo fdesetup list | grep $USER #where $user is the name of the user out of sync
It will return

USER,27E97FDA-252E-1D28-97E2-E11278DB2D21
then copy the long UUID and enter:

diskutil apfs changePassphrase disk1s1 -user 27E97FDA-252E-1D28-97E2-E11278DB2D21
You will be prompted for the old password and the current password.
It will return Passphrase successful.**

M
Forum|alt.badge.img+9
  • Matt_Ellis
  • Valued Contributor
  • 94 replies
  • May 13, 2021

Honestly, unless you have a very very good reason to bind macs to AD don't. If you are using Azure AD look at JAMF Connect it will solve all these problems as well.

J
Forum|alt.badge.img+1
  • Jamftechelp
  • New Contributor
  • 7 replies
  • June 3, 2021

Thank you so much ! Its worked for me as well.
Now i created self service policy for whom FileVault password is out of Sync.

#/bin/bash
#Get the current user details 

currentUser=$(who | awk '/console/{print $1}')

#Get the user UUID number 

userNameUUID=$(dscl . -read /Users/$currentUser/ GeneratedUID | awk '{print $2}')

#Get the user's Old password  

oldPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter your Old login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"

#Get the user's New password  

newPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter your New login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"

diskutil apfs changePassphrase disk1s1 -user $userNameUUID -oldPassphrase $oldPass -newPassphrase $newPass

sudo jamf recon
easyedc
Forum|alt.badge.img+16
  • easyedc
  • Esteemed Contributor
  • 631 replies
  • June 3, 2021

+1 for not binding and relying on a tool like Apple's Enterprise Connect if you're on local AD or Jamf Connect if you're Azure AD. Binding is a big bag of hurt and Apple has recommended not using it for at least as far back as 5 years. Go to your infosec and make them really justify why. Remember, these aren't windows boxes.

D
Forum|alt.badge.img+18
  • dgreening
  • Honored Contributor
  • 645 replies
  • June 3, 2021

@easyedc "Remember, these aren't windows boxes." As if that ever resonated at orgs that are Windows heavy... "Why can't Macs just work like Windows machines??"

S
Forum|alt.badge.img
  • Scelza
  • New Contributor
  • 1 reply
  • October 7, 2021

@Jamftechelp This helped immensely! The only changes I made to it are adding quotes around the password variables because if a user has a space in one of their passwords, it will be interpreted as another piece of the diskutil command and error out.

-oldPassphrase "$oldPass" -newPassphrase "$newPass"

 

cucaracha
Forum|alt.badge.img+5
  • cucaracha
  • Contributor
  • 30 replies
  • March 30, 2022

@Jamftechelp This helped immensely! The only changes I made to it are adding quotes around the password variables because if a user has a space in one of their passwords, it will be interpreted as another piece of the diskutil command and error out.

-oldPassphrase "$oldPass" -newPassphrase "$newPass"

 


@Jamftechelp Have you run this on M1 silicon yet? I am getting an error message:

Changing passphrase for cryptographic user 0000000-00000-000 on APFS Volume disk1s1 Error changing passphrase for cryptographic user on APFS Volume: The given APFS Volume is not encrypted (-69593)

 FileVault is encrypted. Would it be referring to one of the partitions not being encrypted?

stevewood
Forum|alt.badge.img+35
  • stevewood
  • Hall of Fame
  • 1799 replies
  • March 31, 2022

@Jamftechelp Have you run this on M1 silicon yet? I am getting an error message:

Changing passphrase for cryptographic user 0000000-00000-000 on APFS Volume disk1s1 Error changing passphrase for cryptographic user on APFS Volume: The given APFS Volume is not encrypted (-69593)

 FileVault is encrypted. Would it be referring to one of the partitions not being encrypted?


@cucaracha 

The script has a hardcoded value for the disk identifier. You would want to verify that is the proper identifier for an M1. On my two M1 devices 'disk1s1' is not present, and instead the APFS container that holds "Macintosh HD" and "Data" is 'disk3'. So 'disk3s1' might work for my machines, but I would not hard code that value. You should find a way to programmatically determine which APFS container (and volumes) are encrypted.

Ideally you would begin unbinding your devices from AD and deploy Jamf Connect or NoMAD, especially given the upcoming Microsoft patch in July that will break binding.

easyedc
Forum|alt.badge.img+16
  • easyedc
  • Esteemed Contributor
  • 631 replies
  • March 31, 2022

@Jamftechelp Have you run this on M1 silicon yet? I am getting an error message:

Changing passphrase for cryptographic user 0000000-00000-000 on APFS Volume disk1s1 Error changing passphrase for cryptographic user on APFS Volume: The given APFS Volume is not encrypted (-69593)

 FileVault is encrypted. Would it be referring to one of the partitions not being encrypted?


So in the past you had to pay for tools like Enterprise Connect or Jamf Connect.  Now that Apple's basically taken Enterprise Connect and baked it into the OS with Kerberos SSO, that's a simple win.  It can handle password synchronization for you with ease. Follow the instructions doc that Apple has and throw that into your JSS.  Works pretty well. We haven't moved to full Azure AD so paying for Jamf Connect isn't necessary for us yet.  

cucaracha
Forum|alt.badge.img+5
  • cucaracha
  • Contributor
  • 30 replies
  • March 31, 2022

@cucaracha 

The script has a hardcoded value for the disk identifier. You would want to verify that is the proper identifier for an M1. On my two M1 devices 'disk1s1' is not present, and instead the APFS container that holds "Macintosh HD" and "Data" is 'disk3'. So 'disk3s1' might work for my machines, but I would not hard code that value. You should find a way to programmatically determine which APFS container (and volumes) are encrypted.

Ideally you would begin unbinding your devices from AD and deploy Jamf Connect or NoMAD, especially given the upcoming Microsoft patch in July that will break binding.


@stevewood 

I double checked the disk identifier for "Macintosh HD - Data" on the last 2 MacBook Pros (Intel) I ran a similar script (see below) on, and they were both 'disk1s1'. My own MacBook Pro (Intel) is 'disk1s6'.

I came up with this: 

 

 

#Get the Disk identifier diskName=$(diskutil list | awk '/Macintosh HD - Data/{print $NF}') diskutil apfs changePassphrase $diskName -user $userNameUUID -oldPassphrase $oldPass -newPassphrase $newPass

 

 

I ran it without errors but it didn't work. Not to make this convoluted, but I prefer a similar script from:https://community.jamf.com/t5/jamf-pro/filevault-not-syncing-ad-password/m-p/121380/highlight/true#M110497 which is the one I ran on the Intels. It double checks your new password, and it gives you a confirmation if the password sync is successful. I did post on that thread, but no one responded.
I plugged in my get disk identifier with this script, but I get this error:

 

 

Could not find disk for -user HELPER=0Exit Code: Password could not be changed. Is the old password correct?

 

 




 

stevewood
Forum|alt.badge.img+35
  • stevewood
  • Hall of Fame
  • 1799 replies
  • April 1, 2022

@stevewood 

I double checked the disk identifier for "Macintosh HD - Data" on the last 2 MacBook Pros (Intel) I ran a similar script (see below) on, and they were both 'disk1s1'. My own MacBook Pro (Intel) is 'disk1s6'.

I came up with this: 

 

 

#Get the Disk identifier diskName=$(diskutil list | awk '/Macintosh HD - Data/{print $NF}') diskutil apfs changePassphrase $diskName -user $userNameUUID -oldPassphrase $oldPass -newPassphrase $newPass

 

 

I ran it without errors but it didn't work. Not to make this convoluted, but I prefer a similar script from:https://community.jamf.com/t5/jamf-pro/filevault-not-syncing-ad-password/m-p/121380/highlight/true#M110497 which is the one I ran on the Intels. It double checks your new password, and it gives you a confirmation if the password sync is successful. I did post on that thread, but no one responded.
I plugged in my get disk identifier with this script, but I get this error:

 

 

Could not find disk for -user HELPER=0Exit Code: Password could not be changed. Is the old password correct?

 

 




 


@cucaracha 

Well, you did half the leg work, actually more than half. Try this for finding the identifier:

diskName=$(diskutil list | grep 'Macintosh HD' | awk {'print $NF'})

The method you had did not provide any output when I ran it on my M1 device. 

P
Forum|alt.badge.img
  • pc61_2
  • New Contributor
  • 1 reply
  • December 19, 2022

This worked for me. Plus ensure that the localadminname has securetoken access.

sysadminctl -secureTokenOff username -password - -adminUser localadminname -adminPassword -
sysadminctl -secureTokenOn username -password - -adminUser localadminname -adminPassword -
reboot

With these commands, you will be prompted for the username password and the localadminname password to complete the task.
 

S
Forum|alt.badge.img+8
  • sharif_khan
  • Valued Contributor
  • 90 replies
  • December 23, 2022

Hi @kishoth_p 

I am getting following error when I ran @Jamftechelp's script. I also tried with the command: 

diskutil apfs changePassphrase disk1s1 -user "UUID" -oldPassphrase "old Password" -newPassphrase "newPass" from terminal got same error: Changing passphrase for cryptographic user "UUID which get from step 2 command" on APFS Volume disk1s1 Error changing passphrase for cryptographic user on APFS Volume: The given APFS Volume is not encrypted (-69593). I also ran Step 1 command and confirmed that Secure token is ENABLED for user who I am trying to change password. BTW for your information I implemented NoMad and NoMad Login and our machines are not bind.

 

So PLease suggest on this how we can workable to synch local Password & Filevault password with AD after change passowrd. Please help me.

bmcdade
Forum|alt.badge.img+5
  • bmcdade
  • Contributor
  • 40 replies
  • January 11, 2023

Hi @kishoth_p 

I am getting following error when I ran @Jamftechelp's script. I also tried with the command: 

diskutil apfs changePassphrase disk1s1 -user "UUID" -oldPassphrase "old Password" -newPassphrase "newPass" from terminal got same error: Changing passphrase for cryptographic user "UUID which get from step 2 command" on APFS Volume disk1s1 Error changing passphrase for cryptographic user on APFS Volume: The given APFS Volume is not encrypted (-69593). I also ran Step 1 command and confirmed that Secure token is ENABLED for user who I am trying to change password. BTW for your information I implemented NoMad and NoMad Login and our machines are not bind.

 

So PLease suggest on this how we can workable to synch local Password & Filevault password with AD after change passowrd. Please help me.


I have seen the same thing on newer Apple Silicon hardware where they use an APFS container instead of just the simple partition formats.  It seems that might only work on older formatting types.  

Others seem to use fdesetup to remove and then re-add the user and they said that will resync but I haven't tested this yet.

sudo fdesetup remove -user SHORTNAME

sudo fdesetup add -usertoadd SHORTNAME

 

rstasel
Forum|alt.badge.img+13
  • rstasel
  • Valued Contributor
  • 338 replies
  • July 11, 2023

omg, I think this just solved an issue we'd been having without bind even in the mix... 

S
Forum|alt.badge.img+8
  • sharif_khan
  • Valued Contributor
  • 90 replies
  • July 11, 2023

I fix this issue in our environment.

johntgeck
Forum|alt.badge.img+7
  • johntgeck
  • Contributor
  • 44 replies
  • July 19, 2023

Super helpful! We just rolled FV2 out in our district and I've seen a couple one-off issues with AD binding / password syncing with Enterprise Connect. These instructions fixed the issue for me. Thanks!

A
Forum|alt.badge.img+1
  • amendoza1011
  • New Contributor
  • 2 replies
  • August 9, 2023

I keep getting another option and I'm not sure what to do

The default interactive shell is now zsh.

To update your account to use zsh, please run `chsh -s /bin/zsh`.

For more details, please visit https://support.apple.com/kb/HT208050.

Computer Name:~ username$ diskutil apfs changePassphrase disk1s1 -user,83F498FD-8F34-4C0B-812B-6CC05FEC180F

Usage:  diskutil apfs changePassphrase|changeCryptoUserPassphrase|passwd

        <apfsVolumeDisk> -user disk|<cryptoUserUUID>

        [-oldPassphrase <passphrase> | -oldStdinpassphrase]

        [-newPassphrase <passphrase> | -newStdinpassphrase]

        where <apfsVolumeDisk> = APFS Volume DiskIdentifier

              <cryptoUserUUID> = user whose passphrase to change

              <oldPassphrase> = existing password (else interactive prompt)

              <newPassphrase> = new password (else interactive prompt)

Change the passphrase of an existing cryptographic user; you can specify

"disk" for the "Disk" user.

Ownership of the affected disks is required.

Example:  diskutil apfs changePassphrase disk5s1 -user <UUID>

stevewood
Forum|alt.badge.img+35
  • stevewood
  • Hall of Fame
  • 1799 replies
  • August 9, 2023

I keep getting another option and I'm not sure what to do

The default interactive shell is now zsh.

To update your account to use zsh, please run `chsh -s /bin/zsh`.

For more details, please visit https://support.apple.com/kb/HT208050.

Computer Name:~ username$ diskutil apfs changePassphrase disk1s1 -user,83F498FD-8F34-4C0B-812B-6CC05FEC180F

Usage:  diskutil apfs changePassphrase|changeCryptoUserPassphrase|passwd

        <apfsVolumeDisk> -user disk|<cryptoUserUUID>

        [-oldPassphrase <passphrase> | -oldStdinpassphrase]

        [-newPassphrase <passphrase> | -newStdinpassphrase]

        where <apfsVolumeDisk> = APFS Volume DiskIdentifier

              <cryptoUserUUID> = user whose passphrase to change

              <oldPassphrase> = existing password (else interactive prompt)

              <newPassphrase> = new password (else interactive prompt)

Change the passphrase of an existing cryptographic user; you can specify

"disk" for the "Disk" user.

Ownership of the affected disks is required.

Example:  diskutil apfs changePassphrase disk5s1 -user <UUID>


You appear to have a comma between -user and the user ID. Try removing that comma. 

diskutil apfs changePassphrase disk1s1 -user 83F498FD-8F34-4C0B-812B-6CC05FEC180F

A
Forum|alt.badge.img+1
  • amendoza1011
  • New Contributor
  • 2 replies
  • August 9, 2023

You appear to have a comma between -user and the user ID. Try removing that comma. 

diskutil apfs changePassphrase disk1s1 -user 83F498FD-8F34-4C0B-812B-6CC05FEC180F


I got the same response after I removed the comma. I'm unsure if something changed with Ventura because I'm on an M2 Mac.

Last login: Wed Aug  9 07:28:35 on ttys000

computer name ~ % diskutil apfs changePassphrase disk1s1 -user 83F498FD-8F34-4C0B-812B-6CC05FEC180F

Usage:  diskutil apfs changePassphrase|changeCryptoUserPassphrase|passwd

        <apfsVolumeDisk> -user disk|<cryptoUserUUID>

        [-oldPassphrase <passphrase> | -oldStdinpassphrase]

        [-newPassphrase <passphrase> | -newStdinpassphrase]

        where <apfsVolumeDisk> = APFS Volume DiskIdentifier

              <cryptoUserUUID> = user whose passphrase to change

              <oldPassphrase> = existing password (else interactive prompt)

              <newPassphrase> = new password (else interactive prompt)

Change the passphrase of an existing cryptographic user; you can specify

"disk" for the "Disk" user.

Ownership of the affected disks is required.

Example:  diskutil apfs changePassphrase disk5s1 -user <UUID>

computer name ~ %

stevewood
Forum|alt.badge.img+35
  • stevewood
  • Hall of Fame
  • 1799 replies
  • August 10, 2023

I got the same response after I removed the comma. I'm unsure if something changed with Ventura because I'm on an M2 Mac.

Last login: Wed Aug  9 07:28:35 on ttys000

computer name ~ % diskutil apfs changePassphrase disk1s1 -user 83F498FD-8F34-4C0B-812B-6CC05FEC180F

Usage:  diskutil apfs changePassphrase|changeCryptoUserPassphrase|passwd

        <apfsVolumeDisk> -user disk|<cryptoUserUUID>

        [-oldPassphrase <passphrase> | -oldStdinpassphrase]

        [-newPassphrase <passphrase> | -newStdinpassphrase]

        where <apfsVolumeDisk> = APFS Volume DiskIdentifier

              <cryptoUserUUID> = user whose passphrase to change

              <oldPassphrase> = existing password (else interactive prompt)

              <newPassphrase> = new password (else interactive prompt)

Change the passphrase of an existing cryptographic user; you can specify

"disk" for the "Disk" user.

Ownership of the affected disks is required.

Example:  diskutil apfs changePassphrase disk5s1 -user <UUID>

computer name ~ %


I would verify you have the right UUID for a cryptographic user and volume ownership. The following DataJAR articles talks about how:

https://support.datajar.co.uk/hc/en-us/articles/4409474136465-Verifying-cryptographic-users-and-volume-ownership-on-macOS-11-and-higher

 

mdepaauw
Forum|alt.badge.img
  • mdepaauw
  • New Contributor
  • 1 reply
  • December 7, 2023

We use this script like this and this is how it works Universal (Intel and ARM) in our environment 

#/bin/bash
#Get the current user details

currentUser=$(who | awk '/console/{print $1}')

#Get the user UUID number

userNameUUID=$(dscl . -read /Users/$currentUser/ GeneratedUID | awk '{print $2}')

#Get DiskInfo

diskNumber=$(diskutil apfs list| grep "APFS Container Reference:" |awk '{print$4}')

#Get the user's Old password

oldPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter your Old login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"

#Get the user's New password

newPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter your New login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"

diskutil apfs changePassphrase $diskNumber"s1" -user $userNameUUID -oldPassphrase $oldPass -newPassphrase $newPass

jamf recon

 

E
Forum|alt.badge.img
  • Edu
  • New Contributor
  • 1 reply
  • May 16, 2024

Super helpful! We just rolled FV2 out in our district and I've seen a couple one-off issues with AD binding / password syncing with Enterprise Connect. These instructions fixed the issue for me. Thanks!


But the solution indicated here is the definitive solution and when the password is changed again, the problem does not occur again?
or every time the password is changed the problem occurs again and you have to do what is indicated here again.

U
Forum|alt.badge.img+1
  • Ukamal
  • New Contributor
  • 2 replies
  • December 18, 2024

Hi Kishoth, sorry I am new to Jamf and I am stuck in this Account lockout situation, I got this error after step 2: 

Error changing passphrase for cryptographic user on APFS Volume: The given APFS Volume is not encrypted (-69593)

Now, could you please tell me how to open Self Service & run the AD UnBind Policy?

I was typing all the scripts in Terminal but not sure how to use Self Serivice?


Terms & ConditionsCookie settingsAccessibility statement