File Vault and AD accounts after 10.13.2 supplemental upgrade fix

Craig_Whittaker
New Contributor III

Once the supplemental 10.13.2 upgrade is installed, I could no longer add AD users to File Vault.

The issue seems to be Secure token is not enabled for AD users the following fixes the issue

Sysadminctl interactive -secureTokenOn <user name> -password <password>

Check with
Sysadminctl interactive -secureTokenStatus user.name

Reboot and you should be able to enable for the new user.name

2 REPLIES 2

bjones
New Contributor III

@Craig.Whittaker This is bitter sweet in a way .... I finally have someone else out there with an AD environment setup where your users cannot be added to filevault on High Sierra. This is have been troublesome for me for a longgg time ever since the release of 10.13.0. Basically i was having an issue prior to the supplemental update where a user on 10.12.6 after upgrading to High Sierra on a previous filevaulted machine couldn't log back in after reboot. Basically since their account didn't have a secure token prior the icon after reboot was removed.
This part seems to be resolved and i am now stuck with the issue in which an AD user on machine after the update cannot be added to filevault and i have to go through the process you described above.

jconte
Contributor II

Here is what we have been successful with, most of the time we only have to use the last line by itself when we enable a user for filevault in 10.13 using Sys Prefs. Based on my understanding this should only be happening on AD Mobile Accounts, at least that is the only place we are seeing it.

sudo sysadminctl interactive -secureTokenStatus username 
sudo sysadminctl interactive -secureTokenOn username -password –
sudo diskutil apfs updatePreboot /