File Vault 2 problems when using Recovery Key

dpratl
Contributor II

Hi jamf Nation.

I'm pretty new to jamf and this discussion board is so helpful, thank you so much.
I now have a Problem where I couldn't find a hint here so try to start a new discussion about it.

We are using JSS 9.96, and macOS Sierra 10.12.0

We want to encrypt the Harddrives of all Macs via File Vault2.
I have set up personal + institutional key on jamf and put the start encrypt policy into self server so the user (or at the moment test user) has the chance to decide when he wants to start.

We want to use the logged in user (an AD account) so the user has just to enter his password once and the computer will boot up into is Desktop.
But it will happen that a user forgets his own password (happens really often in the Windows world, so it will be the same in the apple world).
It is no problem to take a look at the recovery key on JSS, and it will unlock the drive without any problems, BUT:
The user is forced to change his password after the boot (no Desktop, only login window) but this is not working. If he is connected to the AD or not, it is not working. (Even when we flag the user in the AD that he has to change the password at the next logon)
Next step was to generate a Master Password (This FileVault.MasterKeychain thing in /Library/Keychains) but the PW reset is also not working with this master password.
It is also not possible to login if I try my last working password (no admin PW change in the AD)

If this is not solvable we have to rethink the encryption options, maybe a special user or not at all.

How do you do that?
Do you have an idea about the problems described above?

Thank you very much
BR
Daniel

1 ACCEPTED SOLUTION

rtrouton
Valued Contributor III

@dpratl,

Apple built that reset password functionality for local accounts and it doesn't really work with AD mobile accounts. If your user has forgotten their password and you use the recovery key to unlock and allow them to boot, you also have the option of selecting the Cancel button when asked to reset the password.

88f3591dc0204bcbb5b0c2f9e275cdcd

Once the password reset has been cancelled, try logging in with the new password that's been set on the AD domain's end.

View solution in original post

6 REPLIES 6

rtrouton
Valued Contributor III

@dpratl,

Apple built that reset password functionality for local accounts and it doesn't really work with AD mobile accounts. If your user has forgotten their password and you use the recovery key to unlock and allow them to boot, you also have the option of selecting the Cancel button when asked to reset the password.

88f3591dc0204bcbb5b0c2f9e275cdcd

Once the password reset has been cancelled, try logging in with the new password that's been set on the AD domain's end.

dpratl
Contributor II

Hi @rtrouton ,

This was not working in the first few tests, but I will try it again and update my post.

Thank you for the clarification that this function is only for local accounts.

BR
Daniel

jriv
New Contributor III

Hi @dpratl ,

I believe I came across this same issue yesterday and today.

Yesterday I was locked out (I think, because of another issue involving iCloud and Passcode Config Profiles. Before Sierra, I would enter my recovery key and the next window would prompt me to reset my password. Same as what @rtrouton's screen shot shows. With Sierra, after entering the recovery key, the regular login window comes up instead of the password reset prompt in El Capitan and Yosemite and no prompts to reset my password.

I was able to get in this morning by unscoping myself from our password configuration profile. I was then able to log in using my current password. I used the fdesetup changerecovery -personal command to issue a new recovery key and was successful. However, this did not solve the problem. While troubleshooting this issue, I realized that my current password (an old one) does not meet our current password policy requirements (it's new). So I went to System Preferences > Users and Groups to change it. It would not allow me to reset my password because, it says, my "old password" is incorrect. This is usually a sign that the user has been locked out. I rebooted immediately and verified that I was again locked out without any notification. I've found that the only way for me to unlock myself is to unscope from the password configuration profile.

I'm still trying to figure out what could be causing this failure. Not sure if this issue and the iCloud/Passcode Configuration issue are related. My next step is to move my iCloud account and see if things are back to normal.

If you have any more details to share, please do. FYI, I am not bound to AD.

Thanks!

duffcalifornia
Contributor

Maybe this is a dumb idea, but rather than have the customer attempt to use macOS to reset their password, why not create a temporary password from AD itself, allow the user to log in (bypassing the need for the recovery key), and then change their password from within system preferences to something more private?

jriv
New Contributor III

@dpratl ,

I was able to confirm that removing my iCloud account now allows me to use a recovery key again to reset my password. So, I guess this issue is related to https://www.jamf.com/jamf-nation/discussions/21320/sierra-ad-account-lockout-when-setting-up-icloud after all.

@rtrouton,

Would you happen to have any extension attributes that detect if a user is signed in to iCloud? I found one here https://www.jamf.com/jamf-nation/discussions/19085/disable-icloud-icloud-drive-and-find-my-mac-on-existing-systems by bpavlov but I'm getting mixed results.

Thanks!

dpratl
Contributor II

Thank you all for your answers.
I marked a solution.

My test where successful:
Our users are using there AD accounts (on more user would be to much for this sentence ;)) also for the encryption.
If the forget the password the cannot decrypt their Mac, so the give a call to our Helpdesk.
What have to be done by the Helpdesk:
- reset the AD password to a temporary one (also the "Reset PW at next login" flag can be set)
- get the recovery key from JSS
- tell the (verified) user both and he has to cancel the first request to change the password like @rtrouton said above and the user has to be connected with the internal network (because of the AD connection)
Task by Helpdesk is finished.
What has to be done by the user:
- decrypt the Mac with the Key provided by the Helpdesk
- cancel the first request to change the password like Helpdesk said
- login with the temporary password
- change the password immediately (if the flag was set)
Task by user is finished and he can work on.

This is working for us :)
JAMF Nation is really a great source

BR
Daniel

PS: If the user try to change the password at the first request from macOS, this will harm the user profile somehow and a login is not possible anymore.
PPS: @duffcalifornia if I only set a new password in AD this will not affect the stored password for FileVault, you have to use the recovery key and then use the reseted password to login