File Vault 2 deferred enablement

alessio_tedesco
New Contributor III

Dear all,
I'm having a lot of trouble with some machines with File Vault 2 config profile and policy applied to enforce the enablement, however for like 5-6 machines for a total of about 30, File Vault 2 results disabled and the policy log says "FileVault is Off.
Deferred enablement appears to be active for user ' '. "

Checked a couple links here but no one didn't ever found a solution as I can see. Jamf Cloud instance is almost new and I'm enrolling machines for the first time, not AD bound.

5 REPLIES 5

mschroder
Valued Contributor

Check that the users of the Macs in question have a secure token.

alessio_tedesco
New Contributor III

@mschroder how can I check that? Note that most of the machines have been reset and bigsur reinstalled, and the user account is the one created in the setup assistant. I don't get why there would be a miss of secure token

mschroder
Valued Contributor

rtrouton has a nice summary on https://derflounder.wordpress.com/2018/01/20/secure-token-and-filevault-on-apple-file-system/

thomH
New Contributor III

Did you log in as the use created by setup assistant? I believe this is the one that recieves the inital secure token and will trigger FV.

gabester
Contributor III

We run into this in our environment far too often... and when we provision these user accounts we verify that the user account is ENABLED; then something happens between that point and actually activating FileVault. @mschroder 's link above is a nice reference... but here's the quick and dirty commands you'll need to use to resolve this:

sysadminctl -secureTokenStatus USERNAME

If the user shows as unknown, you may have a network account that needs to be converted to a Mobile account... that's beyond the scope of this answer! If it just shows as DISABLED; in terminal login your administrator account and run the following command - note the separate hyphens (scroll all the way to the right!) after the password switches so that you can enter the passwords interactively without being seen; YOU WILL NEED TO KNOW THE USER'S PASSWORD!

sysadminctl -secureTokenOn USERNAME -password - -adminUser ADMINNAME -adminPassword -

Hopefully it will report successful; if you get an about "secure unlock" you maybe need to run the command from an instance of a user who has Secure Token enabled already (e.g. the first user on the Mac in most circumstances, who can then transfer it to other users.)