!!!A Reliable FIX!!! for FileVault 2 Password Sync Issue.....

kishoth_p
New Contributor II

Hi All,

This worked for me...Hence I am sharing this to all the admins out there who is looking for a permanent solution of never ending AD Password Sync Issue with FileVault..
First let's spit the scenarios..
Scenario 1 (Mac User who is aware of his/her old AD password) FV2 Enabled
Scenario 2(Mac User who is not aware of his/her old AD password) FV2 Enabled

Scenario 1:-
(Mac User who is aware of his/her old AD password) FV2 enabled

Step 1 - Check the Securetoken status of the AD Mobile Account sysadminctl -secureTokenStatus username_goes_here
If it's disabled follow this article to enable the secure token https://derflounder.wordpress.com/2018/01/20/secure-token-and-filevault-on-apple-file-system/
By any chance if you receive any Operation not permitted error while enabling securetoken. Simply go to system preferences>Security & privacy > Unlock using admin credentials > Select Filevault > You will notice the following Alert "Some users are not able to unlock the disk |Enable Users|" Click Enable Users. It will pass the securetoken to ADmob account successfully.

Step 2 - Once the Securetoken is enabled for AD Mobile Account, execute the below commands
sudo fdesetup list | grep $USER #where $user is the name of the user out of sync
It will return

USER,27E97FDA-252E-1D28-97E2-E11278DB2D21
then copy the long UUID and enter:

diskutil apfs changePassphrase disk1s1 -user 27E97FDA-252E-1D28-97E2-E11278DB2D21
You will be prompted for the old password and the current password.
It will return Passphrase successful.

If you receive any further errors, please post here I will look into it and help you further.

Step 3 - Perform a restart and check whether the new password is updated and you are able to login.

Step 4 - If the above 3 steps didn't fix the issue. Please inform the user to drive back to office > connect the mac to enterprise (LAN) network by which it will communicate to the AD Domain Controllers & servers. This step is very important

Step 5 - Launch Self Service & run the AD UnBind Policy to remove the mac from the AD domain FYR....(The script is one liner "/usr/sbin/dsconfigad -remove -username "NotReal" -password "NotReal" -force")

Step 6 - Scope the AD Bind policy and run it from self service. Note:- Add the following command "sleep15 && sudo pkill loginwindow" under Files & Processes. The policy will first bind the mac to AD and immediately logs out.
Please leave the macbook connected to LAN port at login screen for 15-30 min depending on your DC geolocation and mac location. The password sync will try to re-attempt and it should get updated at the backend.

Step 7 - Then check out for any lockouts of the user AD account and try logging in with the new password.. It should definitely go through and the system will prompt for 2 options Create New Keychain or Update Keychain Password... Please select "Create New Keychain" your login will succeed.

Step 8 - Once you have logged in, please lock the mac and try unlocking using the new password. By which you will have the confirmation that password sync is updated on keychain level.

Step 9 - Perform a restart and verify the same. Now the FileVault 2 will be aware of your new password and it should go through without any issues.

By following the above steps I was able to resolve one of the user FV2 password sync issue which was pending for close to 6-7 months...I wish it will work for you as well..Let me know your attempt status..

Scenario 2(Mac User who is not aware of his/her old AD password) FV2 Enabled

I have copied the same step from Step 4 to 9... Please follow the same and let me know if you face any issues..

Step 1 - Please inform the user to drive back to office > connect the mac to enterprise (LAN) network by which it will communicate to the AD Domain Controllers & servers.

Step 2 - Launch Self Service & run the AD UnBind Policy to remove the mac from the AD domain FYR....(The script is one liner "/usr/sbin/dsconfigad -remove -username "NotReal" -password "NotReal" -force")

Step 3 - Scope the AD Bind policy and run it from self service. Note:- Add the following command "sleep15 && sudo pkill loginwindow" under Files & Processes. The policy will first bind the mac to AD and immediately logs out.
Please leave the macbook connected to LAN port at login screen for 15-30 min depending on your DC geolocation and the mac location the password sync will try to re-attempt and it should get updated at the backend.

Step 4 - Check out for any lockouts of the user AD account and try logging in with the new password.. It should definitely go through and the system will prompt for 2 options Create New Keychain or Update Keychain Password... Please select "Create New Keychain" your login will succeed.

Step 5 - Once you have logged in, please lock the mac and try unlocking using the new password. By which you will have the confirmation the password sync is updated.

Step 6 - Perform a restart and verify the same. Now the FileVault 2 will be aware of your new password and it should go through without any issues.

Regards, Kishoth P

11 REPLIES 11

mvu
Valued Contributor

This helped us. Thank you so much.

**Step 2 - Once the Securetoken is enabled for AD Mobile Account, execute the below commands
sudo fdesetup list | grep $USER #where $user is the name of the user out of sync
It will return

USER,27E97FDA-252E-1D28-97E2-E11278DB2D21
then copy the long UUID and enter:

diskutil apfs changePassphrase disk1s1 -user 27E97FDA-252E-1D28-97E2-E11278DB2D21
You will be prompted for the old password and the current password.
It will return Passphrase successful.**

Matt_Ellis
Contributor II

Honestly, unless you have a very very good reason to bind macs to AD don't. If you are using Azure AD look at JAMF Connect it will solve all these problems as well.

Jamftechelp
New Contributor II

Thank you so much ! Its worked for me as well.
Now i created self service policy for whom FileVault password is out of Sync.

#/bin/bash
#Get the current user details 

currentUser=$(who | awk '/console/{print $1}')

#Get the user UUID number 

userNameUUID=$(dscl . -read /Users/$currentUser/ GeneratedUID | awk '{print $2}')

#Get the user's Old password  

oldPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter your Old login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"

#Get the user's New password  

newPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter your New login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"

diskutil apfs changePassphrase disk1s1 -user $userNameUUID -oldPassphrase $oldPass -newPassphrase $newPass

sudo jamf recon

easyedc
Valued Contributor II

+1 for not binding and relying on a tool like Apple's Enterprise Connect if you're on local AD or Jamf Connect if you're Azure AD. Binding is a big bag of hurt and Apple has recommended not using it for at least as far back as 5 years. Go to your infosec and make them really justify why. Remember, these aren't windows boxes.

dgreening
Valued Contributor II

@easyedc "Remember, these aren't windows boxes." As if that ever resonated at orgs that are Windows heavy... "Why can't Macs just work like Windows machines??"

Scelza
New Contributor

@Jamftechelp This helped immensely! The only changes I made to it are adding quotes around the password variables because if a user has a space in one of their passwords, it will be interpreted as another piece of the diskutil command and error out.

-oldPassphrase "$oldPass" -newPassphrase "$newPass"

 

roach
New Contributor III

@Jamftechelp Have you run this on M1 silicon yet? I am getting an error message:

Changing passphrase for cryptographic user 0000000-00000-000 on APFS Volume disk1s1
Error changing passphrase for cryptographic user on APFS Volume: The given APFS Volume is not encrypted (-69593)

 FileVault is encrypted. Would it be referring to one of the partitions not being encrypted?Screen Shot 2022-03-30 at 1.06.02 PM.png

stevewood
Honored Contributor II
Honored Contributor II

@roach 

The script has a hardcoded value for the disk identifier. You would want to verify that is the proper identifier for an M1. On my two M1 devices 'disk1s1' is not present, and instead the APFS container that holds "Macintosh HD" and "Data" is 'disk3'. So 'disk3s1' might work for my machines, but I would not hard code that value. You should find a way to programmatically determine which APFS container (and volumes) are encrypted.

Ideally you would begin unbinding your devices from AD and deploy Jamf Connect or NoMAD, especially given the upcoming Microsoft patch in July that will break binding.

roach
New Contributor III

@stevewood 

I double checked the disk identifier for "Macintosh HD - Data" on the last 2 MacBook Pros (Intel) I ran a similar script (see below) on, and they were both 'disk1s1'. My own MacBook Pro (Intel) is 'disk1s6'.

I came up with this: 

 

 

#Get the Disk identifier
diskName=$(diskutil list | awk '/Macintosh HD - Data/{print $NF}')


diskutil apfs changePassphrase $diskName -user $userNameUUID -oldPassphrase $oldPass -newPassphrase $newPass

 

 

I ran it without errors but it didn't work. Not to make this convoluted, but I prefer a similar script from:https://community.jamf.com/t5/jamf-pro/filevault-not-syncing-ad-password/m-p/121380/highlight/true#M... which is the one I ran on the Intels. It double checks your new password, and it gives you a confirmation if the password sync is successful. I did post on that thread, but no one responded.
I plugged in my get disk identifier with this script, but I get this error:

 

 

Could not find disk for -user
HELPER=0Exit Code: Password could not be changed. Is the old password correct?

 

 




 

stevewood
Honored Contributor II
Honored Contributor II

@roach 

Well, you did half the leg work, actually more than half. Try this for finding the identifier:

diskName=$(diskutil list | grep 'Macintosh HD' | awk {'print $NF'})

The method you had did not provide any output when I ran it on my M1 device. 

easyedc
Valued Contributor II

So in the past you had to pay for tools like Enterprise Connect or Jamf Connect.  Now that Apple's basically taken Enterprise Connect and baked it into the OS with Kerberos SSO, that's a simple win.  It can handle password synchronization for you with ease. Follow the instructions doc that Apple has and throw that into your JSS.  Works pretty well. We haven't moved to full Azure AD so paying for Jamf Connect isn't necessary for us yet.