FileVault accounts not being enabled

mcsoellner
New Contributor III

Hi everyone,

I was wondering if anyone else had seen this problem. I have had two users (both on High Sierra and laptops) that were unable to unlock their machine even though they were enabled as FileVault users.

One thing that is unique to their situations is that I fully encrypted the devices before the users created their accounts on their devices. I enabled their accounts after they logged in for the first time. When they restart the machine, our admin account will only show on the FileVault sign in screen.

Has anyone else experienced this?

3 REPLIES 3

The_Lapin
New Contributor III

It sounds like they don't have SecureTokens tied to their accounts. You can check with the sysadminctl command.

sysadminctl interactive -secureTokenStatus TheirUsername

That will prompt you for your password, after you authenticate it will return something like:

sysadminctl[23116:2369928] Secure token is ENABLED for user Their Username

Or DISABLED if they don't have a secure token.

If you need to grant them a secure token you use a similar command...

sysadminctl interactive -secureTokenOn TheirUsername -password -

That will prompt you for an admin password, be sure to use one that is already available at the FileVault unlock screen. Once you authenticate it will prompt you for their password in Terminal, have them enter it.

If it works you'll get something similar to "sysadminctl[23188:2372666] - Done!"

This is all new to High Sierra and has changed a few times since it's initial release. Hope that helps!

mcsoellner
New Contributor III

@The_Lapin Thanks for the info! I am meeting with one of the users tomorrow. I'll try this out.

steve_bills
New Contributor II

If you do a search on Rich Trouton's website here....

https://derflounder.wordpress.com

...he has several posts about using FileVault. It's been very helpful for me.