!!!A Reliable FIX!!! for FileVault 2 Password Sync Issue.....

kishoth_p
New Contributor II

Hi All,

This worked for me...Hence I am sharing this to all the admins out there who is looking for a permanent solution of never ending AD Password Sync Issue with FileVault..
First let's spit the scenarios..
Scenario 1 (Mac User who is aware of his/her old AD password) FV2 Enabled
Scenario 2(Mac User who is not aware of his/her old AD password) FV2 Enabled

Scenario 1:-
(Mac User who is aware of his/her old AD password) FV2 enabled

Step 1 - Check the Securetoken status of the AD Mobile Account sysadminctl -secureTokenStatus username_goes_here
If it's disabled follow this article to enable the secure token https://derflounder.wordpress.com/2018/01/20/secure-token-and-filevault-on-apple-file-system/
By any chance if you receive any Operation not permitted error while enabling securetoken. Simply go to system preferences>Security & privacy > Unlock using admin credentials > Select Filevault > You will notice the following Alert "Some users are not able to unlock the disk |Enable Users|" Click Enable Users. It will pass the securetoken to ADmob account successfully.

Step 2 - Once the Securetoken is enabled for AD Mobile Account, execute the below commands
sudo fdesetup list | grep $USER #where $user is the name of the user out of sync
It will return

USER,27E97FDA-252E-1D28-97E2-E11278DB2D21
then copy the long UUID and enter:

diskutil apfs changePassphrase disk1s1 -user 27E97FDA-252E-1D28-97E2-E11278DB2D21
You will be prompted for the old password and the current password.
It will return Passphrase successful.

If you receive any further errors, please post here I will look into it and help you further.

Step 3 - Perform a restart and check whether the new password is updated and you are able to login.

Step 4 - If the above 3 steps didn't fix the issue. Please inform the user to drive back to office > connect the mac to enterprise (LAN) network by which it will communicate to the AD Domain Controllers & servers. This step is very important

Step 5 - Launch Self Service & run the AD UnBind Policy to remove the mac from the AD domain FYR....(The script is one liner "/usr/sbin/dsconfigad -remove -username "NotReal" -password "NotReal" -force")

Step 6 - Scope the AD Bind policy and run it from self service. Note:- Add the following command "sleep15 && sudo pkill loginwindow" under Files & Processes. The policy will first bind the mac to AD and immediately logs out.
Please leave the macbook connected to LAN port at login screen for 15-30 min depending on your DC geolocation and mac location. The password sync will try to re-attempt and it should get updated at the backend.

Step 7 - Then check out for any lockouts of the user AD account and try logging in with the new password.. It should definitely go through and the system will prompt for 2 options Create New Keychain or Update Keychain Password... Please select "Create New Keychain" your login will succeed.

Step 8 - Once you have logged in, please lock the mac and try unlocking using the new password. By which you will have the confirmation that password sync is updated on keychain level.

Step 9 - Perform a restart and verify the same. Now the FileVault 2 will be aware of your new password and it should go through without any issues.

By following the above steps I was able to resolve one of the user FV2 password sync issue which was pending for close to 6-7 months...I wish it will work for you as well..Let me know your attempt status..

Scenario 2(Mac User who is not aware of his/her old AD password) FV2 Enabled

I have copied the same step from Step 4 to 9... Please follow the same and let me know if you face any issues..

Step 1 - Please inform the user to drive back to office > connect the mac to enterprise (LAN) network by which it will communicate to the AD Domain Controllers & servers.

Step 2 - Launch Self Service & run the AD UnBind Policy to remove the mac from the AD domain FYR....(The script is one liner "/usr/sbin/dsconfigad -remove -username "NotReal" -password "NotReal" -force")

Step 3 - Scope the AD Bind policy and run it from self service. Note:- Add the following command "sleep15 && sudo pkill loginwindow" under Files & Processes. The policy will first bind the mac to AD and immediately logs out.
Please leave the macbook connected to LAN port at login screen for 15-30 min depending on your DC geolocation and the mac location the password sync will try to re-attempt and it should get updated at the backend.

Step 4 - Check out for any lockouts of the user AD account and try logging in with the new password.. It should definitely go through and the system will prompt for 2 options Create New Keychain or Update Keychain Password... Please select "Create New Keychain" your login will succeed.

Step 5 - Once you have logged in, please lock the mac and try unlocking using the new password. By which you will have the confirmation the password sync is updated.

Step 6 - Perform a restart and verify the same. Now the FileVault 2 will be aware of your new password and it should go through without any issues.

Regards, Kishoth P

5 REPLIES 5

mvu
Valued Contributor

This helped us. Thank you so much.

**Step 2 - Once the Securetoken is enabled for AD Mobile Account, execute the below commands
sudo fdesetup list | grep $USER #where $user is the name of the user out of sync
It will return

USER,27E97FDA-252E-1D28-97E2-E11278DB2D21
then copy the long UUID and enter:

diskutil apfs changePassphrase disk1s1 -user 27E97FDA-252E-1D28-97E2-E11278DB2D21
You will be prompted for the old password and the current password.
It will return Passphrase successful.**

Matt_Ellis
Contributor II

Honestly, unless you have a very very good reason to bind macs to AD don't. If you are using Azure AD look at JAMF Connect it will solve all these problems as well.

Jamftechelp
New Contributor II

Thank you so much ! Its worked for me as well.
Now i created self service policy for whom FileVault password is out of Sync.

#/bin/bash
#Get the current user details 

currentUser=$(who | awk '/console/{print $1}')

#Get the user UUID number 

userNameUUID=$(dscl . -read /Users/$currentUser/ GeneratedUID | awk '{print $2}')

#Get the user's Old password  

oldPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter your Old login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"

#Get the user's New password  

newPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter your New login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"

diskutil apfs changePassphrase disk1s1 -user $userNameUUID -oldPassphrase $oldPass -newPassphrase $newPass

sudo jamf recon

easyedc
Valued Contributor II

+1 for not binding and relying on a tool like Apple's Enterprise Connect if you're on local AD or Jamf Connect if you're Azure AD. Binding is a big bag of hurt and Apple has recommended not using it for at least as far back as 5 years. Go to your infosec and make them really justify why. Remember, these aren't windows boxes.

dgreening
Valued Contributor II

@easyedc "Remember, these aren't windows boxes." As if that ever resonated at orgs that are Windows heavy... "Why can't Macs just work like Windows machines??"