Posted on 02-27-2019 07:44 AM
Bit of an F.Y.I...
I have dep prestage enabled devices.
An Active Directory Mobile Account user is granted a secure token and filevault enabled at login.
When I login as admin and try to delete the user account, A box appears asking me to enter the users password to delete the account.
When I do this, it errors.
The workaround is to "enable this user to administer this computer" checkbox, reboot the device, then delete them.
Has anyone else seen this??
Posted on 02-27-2019 07:59 AM
is admin a FV user?
in 10.13.x. and 10.14.x you can't delete the last admin account or only account that is FV enabled.
Posted on 02-28-2019 12:16 AM
you can if if you do the above..
Posted on 02-28-2019 05:45 AM
I've seen that too.
What I think is happening is that the OS tries to automatically issue a secureToken to the current GUI user (your admin), so you don't end up with an encrypted machine, but no user to unlock it.
To do that, it needs the authorisation of the AD mobile account (which is currently holding the only secureToken on the system),
and that user also needs to be an admin to be able to grant an ST to another user.
Posted on 02-28-2019 07:37 AM
I create the admin account via a prestage enrollment.
That user has a secure token granted. but bypassses encryption.
The subsequent Mobile users will login and need to encrypt.
This is when you see this occurring.