Help

fdesetup authrestart with managed admin account

DirkM
New Contributor

Posted on ‎01-17-2023 05:32 AM

Hello everybody,

fdesetup authrestart seems to be broken for accounts that have never logged in.

I created a new user “test” with password “test” via Users & Groups (so it got a secure token and is a volume owner) and tried to authenticate fdesetup authrestart -delayminutes -1 with that account. I got an error and fde prompt after the next restart. After signing in as “test”, signing out and signing back in as original user, fdesetup authrestart worked for user “test”. This also applies to startosinstall and softwareupdate on ASi Macs, when trying to get either working with a managed admin account that has a secure token, is a volume owner but was never used to sign in, I always get the fde prompt after the first restart. When I try the same with the logged in user and password it works.

Any workarounds for this?

0 Kudos
Reply
6 REPLIES 6

AJPinto
Honored Contributor III

Posted on ‎01-17-2023 06:21 AM

I have never tried to use an account for this that has never logged in to macOS before. If its not working on multiple devices I would wager its a change Apple has made with how secure tokens are handled.

 

The simplest workaround I can think of is to make a on demand policy (Self-Service or CLI trigger) with the Restart Options payload and check the "Perform authenticated restart on computers with FileVault 2 enabled" box.

0 Kudos
Reply

DirkM
New Contributor

Posted on ‎01-17-2023 08:29 AM

Tried that but Jamf doesn't honor a -1 (do not restart on a timer) timeout value and displays a message even though "Start the restart timer immediately" is checked.

0 Kudos
Reply

AJPinto
Honored Contributor III
In response to DirkM

‎01-18-2023 05:52 AM - edited ‎01-18-2023 05:53 AM

The reboot comes from JAMF's Binary, not Apples MDM Framework. So, what JAMF's GUI has as options should work fine.

This is what I use, the timer is currently 60 minutes but I change it as needed. You can also just tell it to restart immediately if a user is logged in. Since its a policy you could run it with another policy using CLI and use JAMF helper to notify the user.

AJPinto_0-1674049940338.png

 

 

0 Kudos
Reply

DirkM
New Contributor
In response to AJPinto

Posted on ‎01-18-2023 06:52 AM

Tried your settings but still get the fde login (progress bar after entering name and password) after the manual (not waiting for the  timeout) restart . I no longer get the prompt though after removing the restart message.

Screenshot 2023-01-18 at 8.47.17 AM.png

0 Kudos
Reply

DirkM
New Contributor
In response to DirkM

Posted on ‎01-20-2023 06:21 AM

According to Jamf, authrestart is broken on ASi Macs (PI102829) when using the fde recovery password (which is what the policy does), works in macOS 12+ only with logged in username/password.

0 Kudos
Reply

sdagley
Esteemed Contributor II

Posted on ‎01-17-2023 10:15 AM

@DirkM I can't find a reference, and I've never tested it myself, but I recall being in a discussion early last year where it was mentioned that a token wasn't activated until a user actually logged in to the account. Since that matches your experience I'd say you're experiencing "Works As Expected"

0 Kudos
Reply