Posted on 07-11-2018 06:12 AM
I just recently enabled FileVault 2 for mobile Macs in my environment, I have experienced some issues that I'm hoping the good folks here on Jamf nation can help me with.
When Macs are setup they get a local admin account that is suppose to be FileVault enabled, this is done within a Jamf policy and I believe it has been working for the most part. The issue I am seeing now is that when I reset the local admin account's password it appears to have made the account hidden, and also made the account no longer fileVault enabled. I have been reading a bit about this, it appears that changing the password will cause issues with the keychain and fileVault, but I'm not aware of the specifics, does this disable the account for FV? Or does anyone know why the account would suddenly be hidden?
The way I was thinking of fixing this was to push a policy that deletes the admin account and then push another policy to re-create and make it fileVault enabled, to me is sounds good in theory, but based on other issues I have been having with my admin account and fileVault, I wanted to see if there is a better way for doing this, or if my fix would work in the way I expect?
Any insight would be much appreciated.
Posted on 07-11-2018 07:11 AM
Ok, so after looking at a users machine it appears that the admin account is not working at all..when I try to create it with a policy it states that the account is already on the machine, I'm going to see about removing it on some test machines to see if that's even a possibility.
Posted on 07-11-2018 07:58 AM
We used to have issues with hidden admin accounts not getting a secure token so try adding a non hidden account and see if makes a difference.
All users who have FV enabled should be listed: sudo fdesetup list
You can try to give the admin user a securtoken manually: sysadminctl interactive -secureTokenOn (username) -password -
Worth running this as well: sudo diskutil apfs updatePreboot /
Posted on 07-12-2018 05:02 AM
Thanks for that info tjhall. I'm looking to give the admin account a token, but it seems that it needs to come from a user that already is filevault enabled, at this point that would only be the current user. I can't delete the admin account, for some reason...I suspect it's because it was the first user on the machine...
What does sudo diskutil apfs updatePreboot / do?
Posted on 07-13-2018 02:40 AM
If it doesn't have one then I suggest either rebuilding it (with the new unhidden admin) or delete the .AppleSetupDone which creates a new admin account from scratch (that has a secureToken). I run sudo diskutil apfs updatePreboot / since it's fixed the issue where AD users couldn't enable FileVault.