Posted on 01-02-2018 02:48 PM
We have laptops that are encrypted with personal recovery keys that are escrowed in the JSS. I've had several users recently get locked out of their computer because their account somehow got dropped from being filevault-enabled. To re-enable them I'm running this on their machine:
sudo fdesetup add -usertoadd SAD_USER
After hitting enter, this is what happens in terminal:
Enter the user name:ADMIN_USER
Enter the password for user 'ADMIN_USER':
Enter the password for the added user 'SAD_USER':
If the ADMIN_USER is filevault-enabled, and I have SAD_USER's password, then it works. But I don't want to know SAD_USER's password. I want to use the personal recovery key, which I have. Pasting in the recovery key instead of the password results in an authentication error. In addition to making this work with the recovery key, I'd also like to be able to do it in one line, or somehow automate it. What am I missing here?
Solved! Go to Solution.
Posted on 01-03-2018 04:37 AM
You can't add a user to Filevault without having their password. The recovery key can be used to unlock the disk and/or disable Filevault, but it's not tied to an individual user's credentials.
Posted on 01-03-2018 04:37 AM
You can't add a user to Filevault without having their password. The recovery key can be used to unlock the disk and/or disable Filevault, but it's not tied to an individual user's credentials.
Posted on 01-04-2018 03:34 PM
Thanks @justin.smith ! Now that I'm reading it, it seems obvious.
Posted on 01-11-2019 12:26 PM
Next step, if you need to require a password change is:
sudo pwpolicy -a YOURADMINNAME -u ACCOUNT_NAME -setpolicy "newPasswordRequired=1"
Posted on 01-11-2019 02:14 PM
As others said you need the password. You can pass it in as a parameter.
The following will allow the fdesetup interactive prompt to ‘self populate’ itself;
expect -c "
spawn fdesetup add -usertoadd $userName
expect "Enter the primary user name:"
send ${adminName}
expect "Enter the password for the user '$adminName':"
send ${adminPass}
expect "Enter the password for the added user '$userName':"
send ${userPass}
expect
Posted on 04-17-2019 06:34 AM
I will add an User and i know his password. But instate an exciting User, I will use the institutional recoverykey.
This is a cutout of the "fdesetup" man page: add -usertoadd added_username ... | -inputplist [-verbose] Adds additional FileVault users. A FileVault user password or recovery key must be used to authenticate.
what is the command for that?