Filevault 2 not enabling, SecureToken missing

ajamfadmin1810
Contributor

Hello All

 

I am having an issue where it seems securetoken is not being enabled on our accounts, thus FV2 enablement window shows up and asks to enable but it doesnt work after entering the users password. We are using jamf connect with OneLogin for user accounts. What process is everyone here using to enable FV2?

1 ACCEPTED SOLUTION

junjishimazaki
Valued Contributor

Secure token usually gets created for the first user which apparently appears to be your local admin account. So, the only one that can grant a secure token is your local admin. So, you have to login as admin to enable secure token for the user and then FV can be enabled. I also use Jamf Connect with Onelogin as our IDP. I have my prestage setup with the local admin created. I have a config profile for Jamf Connect to enable FV for the first user that logs in and just like you I also have a separate config profile to enable FV. This works for me and the actual user does get secure token and FV does get enabled after restart or logout. 

View solution in original post

9 REPLIES 9

junjishimazaki
Valued Contributor

Hi, how are you deploying Jamf Connect? Are you setting this up in your Prestage for new computer and do you have FV enabled in your config profile for first user? What account has secure token?

Hello we are pushing Jamf Connect as a prestage. We also have a local admin account created on all the machines and that account has a secure token and FV2 shows enabled for that account in Jamf. FV should be enabled during setup, we use DEP Notify and it has a piece after running where it asks to logout and enable FV2.

ajamfadmin1810
Contributor

We also have a config profile for enabling FV2 running in Jamf at check in once per day to "catch" any machines where FV2 isnt enabled

junjishimazaki
Valued Contributor

Secure token usually gets created for the first user which apparently appears to be your local admin account. So, the only one that can grant a secure token is your local admin. So, you have to login as admin to enable secure token for the user and then FV can be enabled. I also use Jamf Connect with Onelogin as our IDP. I have my prestage setup with the local admin created. I have a config profile for Jamf Connect to enable FV for the first user that logs in and just like you I also have a separate config profile to enable FV. This works for me and the actual user does get secure token and FV does get enabled after restart or logout. 

Hello,

 

Thanks for the reply, I actually have it setup with a user as well and they receive a secure token, seems hit or miss. Some users do not get securetoken and filevault enabled but most do. I have a ticket open with Jamf, they are taking a look at a script with me as it recently stopped working

 

Script, I used to use for assigning secure token thus FV could be enabled

https://github.com/daveyboymath/Jamf/blob/MacOS/PassSecureToken.sh

PhilS
New Contributor III

Worse problem here, maybe should be in a new thread...I have a user whose account *has* SecureToken, and who sees the turn-on-FileVault sequence at startup, and still encryption never actually begins (a day later fdesetup reports encryption OFF, but deferred enablement appears on for the user). Is there any option short of nuke and pave?

jsnyder
New Contributor II

I'm running into this as well. Did you find a way to resolve?

jsnyder
New Contributor II

I've actually only run into this one time, so I think it's just a one-off issue for me. 

When I go through a prestage enrollment and encrypt at logon it works fine in all other cases.

Try creating a new plist that enables encryption at log out if you currently have it at log in. exclude them from the current FV2 enablement plist you are using. Ive done this for a few machines and got it to actually encrypt