I was wondering if anyone else had seen this problem. I have had two users (both on High Sierra and laptops) that were unable to unlock their machine even though they were enabled as FileVault users.
One thing that is unique to their situations is that I fully encrypted the devices before the users created their accounts on their devices. I enabled their accounts after they logged in for the first time. When they restart the machine, our admin account will only show on the FileVault sign in screen.
Has anyone else experienced this?
It sounds like they don't have SecureTokens tied to their accounts. You can check with the sysadminctl command.
sysadminctl interactive -secureTokenStatus TheirUsername
That will prompt you for your password, after you authenticate it will return something like:
sysadminctl[23116:2369928] Secure token is ENABLED for user Their Username
Or DISABLED if they don't have a secure token.
If you need to grant them a secure token you use a similar command...
sysadminctl interactive -secureTokenOn TheirUsername -password -
That will prompt you for an admin password, be sure to use one that is already available at the FileVault unlock screen. Once you authenticate it will prompt you for their password in Terminal, have them enter it.
If it works you'll get something similar to "sysadminctl[23188:2372666] - Done!"
This is all new to High Sierra and has changed a few times since it's initial release. Hope that helps!