Posted on 04-02-2018 09:21 AM
I've had 3 cases of mobile account users on High Sierra (10.13.3) changing their Active Directory password then finding the password doesn't get updated for FileVault. I've had no such trouble on Sierra. The updated password works in macOS once FileVault is unlocked by another user. The only workaround we've found in to remove the user from FileVault and add them back again.
Has anyone else seen this, know if it's fixed in 10.13.4, or have any other workarounds?
Posted on 02-01-2019 05:34 PM
Just curious if anyone has had success with @ncottle 's script in self service. It works great when I run it from terminal, but have when I run it from self service, it just executes with no prompts.
curUser=$(/usr/bin/stat -f%Su /dev/console)
echo "Prompting ${curUser} for the desired user to fix password mismatch for FV2."
Newuser="$(/usr/bin/osascript -e 'Tell current application to display dialog "Please enter your username:" default answer "" with title "Filevault Password Sync" with text buttons {"Ok"} default button 1 ' -e 'text returned of result')"
echo "Prompting ${curUser} for the password for desired user to fix password mismatch for FV2."
NewuserPass="$(/usr/bin/osascript -e 'Tell current application to display dialog "Please enter your current email password:" default answer "" with title "Filevault Password Sync" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"
JAMFHELPER="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
RESULT="$JAMFHELPER" -windowType utility -title "Filevault Password Sync" -description "You will now be asked to input your current email password in the following box." -button1 "OK"
sudo sysadminctl interactive -secureTokenOn $Newuser -password $NewuserPass
sudo diskutil apfs updatePreboot /
Posted on 02-01-2019 05:47 PM
@walts.9 The only way we deploy is through Self Service. I'll try and remember to take a look on Monday and see how I have it set up. @benk234 Have you tried removing some of the user input and populating the info via the script. Obviously not anything in clear text but something along those lines? Been a little bit since I've messed with what I did. Recently switched to a new group so my brain is a little overloaded right now. Please feel free to message me. I'm happy to help in any way I can.
Posted on 02-02-2019 08:09 PM
Posted on 02-05-2019 11:16 AM
I'm now feeling very hopeful that macOS 10.14.4 will resolve this issue. 😉
Posted on 02-05-2019 12:07 PM
@true[robby] have you tested a 10.14.4 beta or has Apple support indicated it will be fixed with that release?
Posted on 02-06-2019 01:28 PM
Testing in 10.14.4 beta and it's looking good!
My findings show that after the 10.14.4 update, a subsequent password change via System Preferences while on domain will sync up all three passwords (local account, keychain and FileVault) and stays synced while off domain. ✅✅✅
I'm even finding that if the user once again changes their password somewhere other than their machine (a web interface like OneLogin), the local password syncs and stays synced when off domain. ✅ Upon next reboot, if the user chooses to Update Keychain it will sync up keychain and FileVault. ✅✅
So we're back to behavior on earlier versions.
Posted on 02-07-2019 02:36 AM
@ true[robby] thanks for posting.
What if the user has forgotten their previous password and enters a recovery key at FileVault and for keychain has to create a new one? Is the account password and FV password still out of sync on next reboot?
Posted on 02-08-2019 07:04 AM
What happened for me is not exactly the same as per OP.
I have just tested the latest Mojave Developer Beta update and confirmed this issue is fixed.
Passwords will now sync across as soon as the mac gets connected to domain network.
Posted on 03-13-2019 03:18 PM
@MatG After using the recovery key to unlock the volume we are presented with our normal logon screen. I think this behavior is different. Before, when using the recovery key the user is given a pop-up at the logon screen to change their password. But now, the volume can be unlocked but the user still needs to know the existing password to log in. So we don't get far enough to be able to answer your keychain question.
Posted on 03-18-2019 04:18 PM
Can I ask what version number of the Mojave Developer Beta update fixed the issue for you?
Posted on 03-19-2019 06:25 AM
I think it was beta 2 or 3. Cant remember. Its now beta 6 so I'd guess release next week.
Posted on 03-30-2019 07:18 PM
I just posted an article about the history of the 10.13 & 10.14 syncing issue. I included some fixes that you can use if you still have some accounts that are still out of sync.
Posted on 05-23-2019 02:57 PM
FWIW. I just had a troublesome 10.14.5 machine that wouldn't sync the FV password to the locally cached or domain password. Nuking the keychain fixed the issue.
I tried a battery of solutions until I finally thought of this so I hope it helps someone.
Posted on 11-25-2019 04:17 PM
Thank you @sshort
sudo sysadminctl -adminUser $adminUserHere -adminPassword $adminPasswordHere -resetPasswordFor $userToBeReset -newPassword $newPasswordHere
Using this from a command prompt fixed our issue of an AD user not able to login after password was changed elsewhere. No FieVault in use.
Cheers!
Posted on 01-27-2020 05:35 AM
We are seeing this issue on random machines on different versions of Mojave. Its very frustrating. Anyone confirm if this is still an issue in Catalina? We have it blocked for a bit for testing purposes. Or, does anyone have a non-interactive version of the above command that can be scheduled?
Posted on 02-07-2020 02:25 PM
@mgorton It is still an issue in Catalina. In fact, I came here looking for an explanation and a possible solution.
We are rolling out FileVault enabled laptops running 10.15.2 and have begun experiencing the same symptoms reported in this thread: User changes AD password, often through a web portal (sometimes over WiFi, sometimes over ethernet), and then they are unable to log in at the preboot screen. The old password is usually able to unlock the volume, but the new AD password otherwise works for authenticating against other AD bound services. it will also work at the system login screen is the user logs out.
I have been able to correct this, as others have, by using the recovery key. Once the recovery key is provided, the user is prompted for their network password and then the passwords are synched.
I haven't yet tried some of the other fixes recommended here, but will do so first chance I get. Thanks to all for sharing your experiences and expertise.
Posted on 02-10-2020 07:08 AM
@mheffernan If you change the password off the Mac through a web portal all you are changing int the AD account password, therefore FileVault password will not change. If you change the password on the Mac it will update your AD account password and the FileVault password.
However if you do change the password through a web portal then on boot as you say use the old password, then you probably get prompted again to login into your account, then a Keychain box then what is meant to happen is macOS is meant to sync the account password down to FV, but in Catalina 10.15.1,2 and now 3 this I believe is broken.
Posted on 02-12-2020 08:50 AM
Here is my self service script to resolve this filevault issue if the user changes their password in a way other than System Prefs/ Nomad .
This does require you have a local admin account on the computer and that you pass the local admin user name and pass as variables $4 and $5.
I did not have great luck with the update preboot command that @ncottle used (though I haven't tried the script posted here) so I wrote a script doing the same thing with FDE setup awhile back.
#! /bin/bash
#Found commands at
#https://www.jamf.com/jamf-nation/discussions/26608/adding-user-to-filevault-using-fdesetup-and-recovery-key
adminName=$4
adminPass=$5
userName=$( scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' )
fdesetup remove -user $userName
if [[ "$userName" == "adminName" ]] || [[ "$userName" == "HardCodedLocalAdminName" ]]; then
echo "Admin user is logged in."
exit 1
dialog="Do Not run this tool when logged in as Admin! Exiting!"
cmd="Tell app "System Events" to display dialog "$dialog""
/usr/bin/osascript -e "$cmd"
fi
dscacheutil -q user -a name $userName
sleep 1
echo "prompting user for Account Password"
userPass=$(/usr/bin/osascript<<END
tell application "System Events"
activate
set the answer to text returned of (display dialog "Enter your Current Account Password:" default answer "" with hidden answer buttons {"Continue"} default button 1)
end tell
END)
expect -c "
spawn fdesetup add -usertoadd $userName
expect "Enter the primary user name:"
send ${adminName}
expect "Enter the password for the user '$adminName':"
send ${adminPass}
expect "Enter the password for the added user '$userName':"
send ${userPass}
expect"
fdeList=`fdesetup list | grep $userName`
if [[ "$fdeList" == *"$userName"* ]] ; then
echo "$userName Filevault Password Updated successfully"
dialog="$userName Filevault Password Updated successfully"
cmd="Tell app "System Events" to display dialog "$dialog""
/usr/bin/osascript -e "$cmd"
exit 0
else
echo "Adding $userName to FV2 Failed"
dialog="Adding $userName to FV2 Failed"
cmd="Tell app "System Events" to display dialog "$dialog""
/usr/bin/osascript -e "$cmd"
exit 1
fi
Posted on 02-12-2020 09:58 AM
I usually use diskutil apfs changepassphrase
, though I haven't made a script of it yet. If it works it would alleviate the need to pass an admin password in clear text.