Disk Encryption Management- Looking for Advice on Best Practices

New Contributor III


I am in the midst of a Jamf PoC and am looking for some advice on File Vault configuration.

I currently have two machines in my test environment: one running 10.12.6; the other 10.13.3. I created a configuration to enable FileVault with Enabled FileVault User set to "Current or next user."

It worked perfectly on the 10.12 machine, but not 10.13. I know there's a bug with 10.13 that prevents Active Directory users from activating FileVault. Is there any way around this within Jamf?

I am also curious to know if there is any strategy to handle machines that already have FileVault enabled.

Thanks in advance!



Valued Contributor III

@rtrouton is the best FileVault expert I know. I tagged him hoping he’ll chime in with advice as he is on these boards.

New Contributor III

I need to set up FileVault2 for all incoming new users, the person before me apparently attempted to do this but was not able to achieve it successfully. I hope @rtrouton shows up!

New Contributor III

@arivera I'm making some good progress. I'll report back here once I have things running (more or less) smoothly.

I assume all your new users are running Macs with 10.13?

Contributor III

This is why I'm trying to have users hold off from upgrading to 10.13 completely. Apple changed a lot when it came to encryption this time around.

The best part? We use the python create user script to create a local admin account when imaging. The problem with that? Users created via CLI don't get a secure token and can't enable FileVault! Domain users can't either, so on 10.13.2+ we can't enable FV....

I'm currently working on a domain device in which I created an Admin account via System Preferences, and still don't have permission to enable FileVault. When I run:

sudo sysadminctl -secureTokenStatus adminaccount

from Terminal, I get:

2018-03-09 10:44:40.716 sysadminctl[15494:73011] Failed to authenticate with SystemAdministration framework.

Oh, and forget about using the FileVault key redirection payload in a configuration profile too. It will explicitly deny you from enabling FV if that's installed.

New Contributor III

@danbaver Great! All new users are on High Sierra and I going to be rolling out a company wide High Sierra upgrade soon just running tests right now!

New Contributor III

@PhillyPhoto You have to run it this way:

sudo sysadminctl interactive -secureTokenStatus someUser

Which makes it tricky to script so it would otherwise run without user interaction.

Contributor III

@danbaver I run it with the interactive flag:

sudo sysadminctl interactive -secureTokenStatus adminuser

And get the popup asking for credentials to "unlock the drive" and it shows the following in stout:

2018-03-09 13:53:03.545 sysadminctl[58469:213513] ### Error:-14090 File:/BuildRoot/Library/Caches/com.apple.xbs/Sources/Admin/Admin-674/DSAuthenticator.m Line:94
2018-03-09 13:53:03.551 sysadminctl[58469:213513] Secure token is ENABLED for user adminuser

But I'm still not authorized to enable encryption after performing:

  1. System Preferences
  2. Security & Privacy
  3. FileVault
  4. Unlock
  5. Turn On FileVault...
  6. Create a recovery key and do not use my iCloud account
  7. Continue

I get a pop-up saying "Authentication server failed to complete the requested operation."

In Terminal, manually running "sudo fdesetup enable" and entering the admin account name and password it says "Error: A problem occurred while trying to enable FileVault. (-69556)"

New Contributor III

Okay, I believe I have it working! Using this script:


There are a few tweaks to make for 10.13.3.

First, under the section:

# Uses AppleScript to prompt the currently logged in user for their account password.

You need to move the closing parenthesis below EOT, so...

return pwd
end if
end tell

Then in the enableSecureToken section, add the interactive flag:

enableSecureToken() {
    sudo sysadminctl interactive -adminUser $adminUser -adminPassword $adminPassword -secureTokenOn $userName1 -password $userPassword1

Make sure you follow all of his notes at the end. It didn't work for me at first, but then I started over and it works like a charm. Not sure what I did wrong the first time around.

Even though the interactive flag isn't needed for 10.13.2, it still works. It did not however work for 10.13, for what it's worth.


There is a bug in 10.13.x that is supposedly fixed in 10.13.4 (probably out by end of month) that should fix this issue with Mobile (Active Directory) accounts. But, still really annoyed with Apple and Jamf that they've (I think, mostly Apple) made this so hard to do. Really with the leading Mac management platform, turning this stuff on should be pretty easy...but of course nothing is easy with Apple!

New Contributor III

I've been discussing with the Jamf engineer I've been working with if this is a "feature" or a "bug" in macOS. We're inclined to think it's a feature, judging by the direction Apple has been moving with security.

My POC is over, and I'm just waiting for my company's legal department to do their thing so a PO can get signed and I can really get to work on this. If 10.13.4 breaks what I figured out here, I'm going to be annoyed. :)