Creating local FileVault enabled account does not work on Mojave.

mnickels
New Contributor III

Running JAMF 10.7.1. I have a policy that has the local accounts payload configured as follows:
Create New Account
Username: FileVaultTest
Full Name: FileVaultTest
Password: [Hidden]
Home Directory Location /Users/FileVaultTest/
Allow user to administrer computer: yes
Enable user for FileVault 2: yes

This worked fine in High Sierra, but on Mojave the logs state:
Creating user FileVaultTest...
Adding user FileVaultTest to filevault
Error: Added users failed error.
Error adding user to FileVault: Added users failed error.

I cannot find any additional information in /var/log/system.log or in the jamf log file. We use personal recovery keys and they are escrowed in Jamf. The purpose of this is to create a local account for IT that can unlock FileVault on the Mac.

Could someone confirm if this is an issue for them on Mojave as well? Any ideas where I can find more information on this error?

5 REPLIES 5

dorellano
New Contributor III

Did you ever figure this out ? Having the same issue.

therealmacjeezy
New Contributor III

What happens when you check the securetoken status for your management account and your fvtest account?

sysadminctl -secureTokenStatus <username> I believe is the command to check.

"Saying 'uhh..' is the human equivalent to buffering."

dorellano
New Contributor III

It's reporting as enabled. Weird thing is our workflow works fine on 10.13.x and filevault encrypts.

just discovered that it doesn't enable FileVault on 10.14.1 even though we click enable now when prompted.

Sanchi
Contributor

I'm having this issue with Mojave 10.14.5. In my case if the user account is created by the macOS login window I get the built-in prompter's to enable Secure Token for that user. User appears at the FileVault window as normal.

If I create the account using NoMAD Login AD, and then manually "enable" the user for FileVault using the Sys Preferences > Security > FileVault button, when I reboot the user does not appear at the FileVault window. sysadminctl reports secure token is enabled in both cases. Very frustrating this.

Sanchi
Contributor

I think I've solved my flavour of the issue by using this terminal command:

#!/bin/sh

diskutil apfs updatePreboot / > /dev/null

Once I ran that, my account now shows up at the FV login screen.