Skip to main content
Solved

Filevault 2 not enabling, SecureToken missing


Forum|alt.badge.img+8

Hello All

 

I am having an issue where it seems securetoken is not being enabled on our accounts, thus FV2 enablement window shows up and asks to enable but it doesnt work after entering the users password. We are using jamf connect with OneLogin for user accounts. What process is everyone here using to enable FV2?

Best answer by junjishimazaki

Secure token usually gets created for the first user which apparently appears to be your local admin account. So, the only one that can grant a secure token is your local admin. So, you have to login as admin to enable secure token for the user and then FV can be enabled. I also use Jamf Connect with Onelogin as our IDP. I have my prestage setup with the local admin created. I have a config profile for Jamf Connect to enable FV for the first user that logs in and just like you I also have a separate config profile to enable FV. This works for me and the actual user does get secure token and FV does get enabled after restart or logout. 

View original
Did this topic help you find an answer to your question?

9 replies

junjishimazaki
Forum|alt.badge.img+10

Hi, how are you deploying Jamf Connect? Are you setting this up in your Prestage for new computer and do you have FV enabled in your config profile for first user? What account has secure token?


Forum|alt.badge.img+8
junjishimazaki wrote:

Hi, how are you deploying Jamf Connect? Are you setting this up in your Prestage for new computer and do you have FV enabled in your config profile for first user? What account has secure token?


Hello we are pushing Jamf Connect as a prestage. We also have a local admin account created on all the machines and that account has a secure token and FV2 shows enabled for that account in Jamf. FV should be enabled during setup, we use DEP Notify and it has a piece after running where it asks to logout and enable FV2.


Forum|alt.badge.img+8

We also have a config profile for enabling FV2 running in Jamf at check in once per day to "catch" any machines where FV2 isnt enabled


junjishimazaki
Forum|alt.badge.img+10
  • New Contributor
  • 423 replies
  • Answer
  • January 4, 2022

Secure token usually gets created for the first user which apparently appears to be your local admin account. So, the only one that can grant a secure token is your local admin. So, you have to login as admin to enable secure token for the user and then FV can be enabled. I also use Jamf Connect with Onelogin as our IDP. I have my prestage setup with the local admin created. I have a config profile for Jamf Connect to enable FV for the first user that logs in and just like you I also have a separate config profile to enable FV. This works for me and the actual user does get secure token and FV does get enabled after restart or logout. 


Forum|alt.badge.img+8
  • Author
  • Contributor
  • 40 replies
  • January 11, 2022
junjishimazaki wrote:

Secure token usually gets created for the first user which apparently appears to be your local admin account. So, the only one that can grant a secure token is your local admin. So, you have to login as admin to enable secure token for the user and then FV can be enabled. I also use Jamf Connect with Onelogin as our IDP. I have my prestage setup with the local admin created. I have a config profile for Jamf Connect to enable FV for the first user that logs in and just like you I also have a separate config profile to enable FV. This works for me and the actual user does get secure token and FV does get enabled after restart or logout. 


Hello,

 

Thanks for the reply, I actually have it setup with a user as well and they receive a secure token, seems hit or miss. Some users do not get securetoken and filevault enabled but most do. I have a ticket open with Jamf, they are taking a look at a script with me as it recently stopped working

 

Script, I used to use for assigning secure token thus FV could be enabled

https://github.com/daveyboymath/Jamf/blob/MacOS/PassSecureToken.sh


Forum|alt.badge.img+6
  • Contributor
  • 20 replies
  • July 25, 2022

Worse problem here, maybe should be in a new thread...I have a user whose account *has* SecureToken, and who sees the turn-on-FileVault sequence at startup, and still encryption never actually begins (a day later fdesetup reports encryption OFF, but deferred enablement appears on for the user). Is there any option short of nuke and pave?


Forum|alt.badge.img+1
  • New Contributor
  • 7 replies
  • September 26, 2022
PhilS wrote:

Worse problem here, maybe should be in a new thread...I have a user whose account *has* SecureToken, and who sees the turn-on-FileVault sequence at startup, and still encryption never actually begins (a day later fdesetup reports encryption OFF, but deferred enablement appears on for the user). Is there any option short of nuke and pave?


I'm running into this as well. Did you find a way to resolve?


Forum|alt.badge.img+8
  • Author
  • Contributor
  • 40 replies
  • September 26, 2022
PhilS wrote:

Worse problem here, maybe should be in a new thread...I have a user whose account *has* SecureToken, and who sees the turn-on-FileVault sequence at startup, and still encryption never actually begins (a day later fdesetup reports encryption OFF, but deferred enablement appears on for the user). Is there any option short of nuke and pave?


Try creating a new plist that enables encryption at log out if you currently have it at log in. exclude them from the current FV2 enablement plist you are using. Ive done this for a few machines and got it to actually encrypt


Forum|alt.badge.img+1
  • New Contributor
  • 7 replies
  • October 11, 2022
jsnyder wrote:

I'm running into this as well. Did you find a way to resolve?


I've actually only run into this one time, so I think it's just a one-off issue for me. 

When I go through a prestage enrollment and encrypt at logon it works fine in all other cases.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings