Background: We currently apply a configuration profile to enforce FileVault, with a personal recovery key and redirection payload. We use DEP and create local user accounts, we're not AD bound or using Jamf connect etc. as yet. We create an admin support account that's hidden
1) Approx 20% of our machines don't have encrypted disks. The Policy to apply filefault completes but says, "FileVault is Off.
Deferred enablement appears to be active for user..."
In some of these instances, the same machines are now failing to install updates, e.g. Big Sur 11.2.2 to 11.2.3 - the update requests a password, the user enters the correct password but the password is not accepted - I think this could be related.
2) Supporting users without the hidden local admin account having access to log on can be problematic and prevent troubleshooting. I'd like for our local admin account to be added as a FV user and be able to unlock the disk at first logon.
Any support on t he above two points appreciated.
I assume you have tried logging off and logging back on as the user to see if they get prompted to enable Filevault? Does the user listed in the error match the local user?
1 sounds like it could be a Secure Token issue. Are you sure the the local user has a Secure Token? (if you don't know, run the following terminal command
sysadminctl -secureTokenStatus <<username>> . If the user does not have a Secure Token, you will need to which account has a Secure Token (usually the first user created.)
2 is very similar, once you have a user with a Secure Token, you can grant other users Secure Tokens, but you need to know the password of the first Secure Token user. There are scripts avaliable to prompt the user for their password and grant your local admin a Secure Token.
Take a look at this blog page:
Travelling Tech Guy - Secure Tokens
It has a lot of good information about how to manage Secure Tokens. He has a good post about whether granting a local admin a secure token is a good idea or not.
We are experiencing same problem. It looks like the reason FileVault is not able to be enabled is because (for some unknown reason) the root user is being designated as the FileVault user during the initial setup process (but the drive is still not encrypted). Our only solution thus far has been to wipe the machine and start over, so I'm open to any suggestions as to how to either remediate the computers or prevent the issue from occurring. We've used the same process for years - it's only been an issue with the latest releases of MacOS BigSur. When I run at the command line:
on this computer, it returns: