Posted on 05-03-2013 02:07 PM
I've spent my day working with FV2 and VMWare images. Now that I have the VMWare imaging issues resolved, i moved on to testing the FV2 (which is why I was messing with VMWare in the first place).
When I follow Rich's guide to enable FV through Self Service - I ran into a problem that seemed to stem from the root user being disabled - according to https://jamfnation.jamfsoftware.com/discussion.html?id=7051. for giggles I removed the command from the firstboot script and rebuilt the machine (a VM and a MBP) Lo and behold when I log out of SS it prompts to enter my PW (yay!!!) and then immedately throws up the following message (slightly paraphrased) (boo!!!).
There was a problem enabling FV on your computer. You should use system preferences security & privacy to view or change filevault.
The only thing in the log when I search for "filevault" is
ManagedClient[597]: MCX.doCmdLogout: setupFileVaultFDE enable returned 18
Solved! Go to Solution.
Posted on 05-03-2013 08:16 PM
If the source of the error was fdesetup, that corresponds to this:
18 Unexpected keychain found error.
That error means that fdesetup was set to use an individual recovery key, but fdesetup found a FileVaultMaster.keychain file in /Library/Keychains.
I'd recommend checking your VM's /Library/Keychains folder for FileVaultMaster.keychain. If one's there, remove it and restart. After the restart, log in as the account you were logged in as, log out and see if you are prompted for your password again.
If not, log back in and re-run the policy via Self Service.
Here's the list of error codes that fdesetup can generate. All are listed on the fdesetup man page:
http://www.manpagez.com/man/8/fdesetup/
EXIT STATUS
The exit status of the tool is set to indicate whether any error was detected. The values returned are:
0 No error, or successful operation.
1 FileVault is Off.
2 FileVault appears to be On but Busy.
11 Authentication error.
12 Parameter error.
13 Unknown command error.
14 Bad command error.
15 Bad input error.
16 Legacy FileVault error.
17 Added users failed error.
18 Unexpected keychain found error.
19 Keychain error. This usually means the FileVaultMaster keychain could not be moved or replaced.
20 Deferred configuration setup error.
21 Enable failed (Keychain) error.
22 Enable failed (CoreStorage) error.
23 Enable failed (DiskManager) error.
24 Already enabled error.
25 Unable to remove user.
99 Internal error.
Posted on 05-06-2013 05:45 AM
Thank you! I was looking for that list, my googlefu failed me.
i checked the keychain app and found nothing, but when I went to /library/keychains it was there. I removed and it prompted/encrypted as expected.
Now I gotta figure out what's causing the creation of that keychain and unlock the root user...
Posted on 05-06-2013 02:44 PM
The FileVaultMaster keychain is created when you use the "Set Master Password..." option in the "Users & Groups" System Preference. Are you, or someone else, doing this as part of your initial setup?
Posted on 05-03-2013 08:16 PM
If the source of the error was fdesetup, that corresponds to this:
18 Unexpected keychain found error.
That error means that fdesetup was set to use an individual recovery key, but fdesetup found a FileVaultMaster.keychain file in /Library/Keychains.
I'd recommend checking your VM's /Library/Keychains folder for FileVaultMaster.keychain. If one's there, remove it and restart. After the restart, log in as the account you were logged in as, log out and see if you are prompted for your password again.
If not, log back in and re-run the policy via Self Service.
Here's the list of error codes that fdesetup can generate. All are listed on the fdesetup man page:
http://www.manpagez.com/man/8/fdesetup/
EXIT STATUS
The exit status of the tool is set to indicate whether any error was detected. The values returned are:
0 No error, or successful operation.
1 FileVault is Off.
2 FileVault appears to be On but Busy.
11 Authentication error.
12 Parameter error.
13 Unknown command error.
14 Bad command error.
15 Bad input error.
16 Legacy FileVault error.
17 Added users failed error.
18 Unexpected keychain found error.
19 Keychain error. This usually means the FileVaultMaster keychain could not be moved or replaced.
20 Deferred configuration setup error.
21 Enable failed (Keychain) error.
22 Enable failed (CoreStorage) error.
23 Enable failed (DiskManager) error.
24 Already enabled error.
25 Unable to remove user.
99 Internal error.
Posted on 05-06-2013 05:45 AM
Thank you! I was looking for that list, my googlefu failed me.
i checked the keychain app and found nothing, but when I went to /library/keychains it was there. I removed and it prompted/encrypted as expected.
Now I gotta figure out what's causing the creation of that keychain and unlock the root user...
Posted on 05-06-2013 02:44 PM
The FileVaultMaster keychain is created when you use the "Set Master Password..." option in the "Users & Groups" System Preference. Are you, or someone else, doing this as part of your initial setup?
Posted on 05-07-2013 07:04 AM
....
Why yes we are. You're a genius!
Posted on 01-13-2014 01:36 PM
Apple OS X: How to create and deploy a recovery key for FileVault 2
http://support.apple.com/kb/HT5077
Posted on 01-13-2014 02:05 PM
And here I thought it was a limitation of a virtual environment. *hatsoff*
Posted on 02-07-2014 01:28 PM
I'm having the same issue, I deleted the FileVaultMaster.keychain file in /Library/Keychains but when I log out and enter my password it gives me the same error and then the FileVaultMaster.keychain re-appears.
Posted on 04-04-2014 10:34 AM
I'm getting the following when trying to enable FileVault using our institutional key:
Apr 4 10:31:24 franky-mbpr ManagedClient[635]: MCX.doCmdLogout: setupFileVaultFDE enable returned 188
I can't find what that error code means.
Posted on 04-04-2014 11:24 AM
I think i saw that one recently on a machine that had no recovery partition
Posted on 06-05-2014 01:10 PM
Chris is correct. Error 188 means that it cannot find a Recovery Partition, which is a requirement for FileVault 2.
For modern Macs, we will usually do an internet recovery install of OS X (which creates a Recovery Partition) for Macs we know will be FV'd. Alternately, for older Macs that don't have the ability to do an internet recovery, I've have tons of success with "Recovery Partition Creator".
Posted on 12-04-2014 03:35 AM
Has anyone had an issue with fdesetup where the exit status is always "0" no matter what the outcome?
Im using the plist method posted here https://jamfnation.jamfsoftware.com/discussion.html?id=11869
When the script runs "sudo fdesetup add -i < /tmp/fvenable.plist" and I purposely enter the incorrect password I get the response "Error: Unable to add user 'username' to existing FileVault because the user could not be authenticated".
Right below this line in the script is "if [ $? = 0 ]; then" which returns a "0 = 0" value and continues even thou it failed.
Here is the part of the script
until [ $counter = 2 ]; do
sudo fdesetup add -i < /tmp/fvenable.plist
if [ $? = 0 ]; then
counter=2
fi
done
Here is the result, im using "set -x" to see these results.
+ sudo fdesetup add -i
Error: Unable to add user 'username' to existing FileVault because the user could not be authenticated.
+ '[' 0 = 0 ']'
+ counter=2
+ '[' 2 = 2 ']'
Posted on 01-20-2015 01:21 PM
Bump. I have started getting the same error that @richmac has:
Error: Unable to add user 'username' to existing FileVault because the user could not be authenticated.
Has anybody gotten this figured out?
Posted on 01-20-2015 01:43 PM
@mattbomarc1 i did solve this, if i remember correctly i had to define $4 and $5 as variables first. For some reason the values set within casper for $4 and $5 were not being passed into the plist data.
Leave the values set within casper for $4 and $5 and add these to the top of your script:
adminAcc="$4"
adminPass="$5"
Then replace $4 and $5 within the xml with the variables as below
create_plist () {
echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>'$adminAcc'</string>
<key>Password</key>
<string>'$adminPass'</string>
<key>AdditionalUsers</key>