FileVault Sync PWD User AD High Sierra

lrabotteau
New Contributor III

Hello ,

I've got an issue with Filevault and my AD users account.

We've a policy about the expired time password for my AD users enable on Filevault ,

On High Sierra the command line : "fdesetup sync" is not working because is an APFS Volumes for sync AD password with my AD Filevault users.

Someone know an other solution for this ?

They are on MBA and not all time with a network , we have to open a local admin session because their Encrypt session need the older password and sometime they don't know him.

If someone have an idea about this.

Thanks

9 REPLIES 9

fafawe
New Contributor III

I'm getting the same messages as you are. "This command is not supported on APFS volumes." I would also be interested in how to do it with APFS.
(We only have local Admin Accounts and none AD Accounts)

Thanks :)

ClassicII
Contributor III

This should be fixed on 10.13.3 and will not sync properly once the machine can connect with ad and the user has logged in with the new password.

ammonsc
Contributor II

I am having the same issue. Changed password restart or logout. I have to login first with old password then with AD Credentials

AVmcclint
Honored Contributor

I have a tester Mac running 10.13.3 and it still takes days or weeks for the password to sync up.

mark_mahabir
Valued Contributor

For those searching around this topic, here are some more recent experiences/thoughts.

hkabik
Valued Contributor
sudo diskutil apfs changePassphrase <your APFS volume, like: disk1s1> -user <the Disk User cryptographic UUID, like: 12345678-1234-1234-1234567890AB>

Will change the FV2 password, but requires you to know the users old password and their new one. I'm working on a Self Service Script to allow users to do this on their own as it has worked for us across the board when both passwords are known to the user.

MrRoboto
Contributor III

We are using the following script for users to enable FV via Self Service, I found it on here from another member (sorry I don't remember who). It also works to update the FV password after an external AD password change.

#!/bin/sh
# This script is intended to be used with JAMF Self Service. It will enable SecureToken for the currently logged in user account
# and either add it to the list of to FileVault enabled users or enable FileVault using a Personal Recovery Key.

# Your policy must include script parameters for a SecureToken enabled administrator username and password. For more information
# on using script parameters, please see https://www.jamf.com/jamf-nation/articles/146/script-parameters.

adminUser="$4"
adminPassword="$5"
userName1="$3"
userName2="$6"

# Uses AppleScript to prompt the currently logged in user for their account password.
userPassword1=$(/usr/bin/osascript <<EOT
tell application "System Events"
activate
display dialog "Please enter your login password:" default answer "" buttons {"Continue"} default button 1 with hidden answer
if button returned of result is "Continue" then
set pwd to text returned of result
return pwd
end if
end tell
EOT
)

# Enables SecureToken for the currently logged in user account.
enableSecureToken() {
    sudo sysadminctl -adminUser $adminUser -adminPassword $adminPassword -secureTokenOn $userName1 -password $userPassword1
}

# Creates a PLIST containing the necessary administrator and user credentials.
createPlist() {
    echo '<?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>Username</key>
    <string>'$adminUser'</string>
    <key>Password</key>
    <string>'$adminPassword'</string>
    <key>AdditionalUsers</key>
    <array>
        <dict>
            <key>Username</key>
            <string>'$userName1'</string>
            <key>Password</key>
            <string>'$userPassword1'</string>
        </dict>
    </array>
    </dict>
    </plist>' > /private/tmp/userToAdd.plist
}

# Adds the currently logged in user to the list of FileVault enabled users.
addUser() {
    sudo fdesetup add -i < /private/tmp/userToAdd.plist
}

# Enables FileVault using a Personal Recovery Key.
enableFileVault() {
    sudo fdesetup enable -inputplist < /private/tmp/userToAdd.plist
}

# SecureToken enabled users are automatically added to the list of Filevault enabled users when FileVault first is enabled.
# Removes the specified user(s) from the list of FileVault enabled users.
removeUser() {
    sudo fdesetup remove -user $adminUser
    sudo fdesetup remove -user $userName2
}

# Update the preboot role volume's subject directory.
updatePreboot() {
    diskutil apfs updatePreboot /
}

# Deletes the PLIST containing the administrator and user credentials.
cleanUp() {
    rm /private/tmp/userToAdd.plist
}

#

enableSecureToken
createPlist
if [ "$(sudo fdesetup status | head -1)" == "FileVault is On." ]; then
    addUser
else
    enableFileVault
    #removeUser     # We do not want to remove users at this time
fi
updatePreboot
cleanUp

hkabik
Valued Contributor

The part of that script that is syncing the user password to the crypto account password is:

diskutil apfs updatePreboot /

In my testing that does work sometimes (I really can't say what causes it to either work or not), but I've only had 100% success with the changepassphrase command. But in many cases I have seen updatePreboot work as well.

MrRoboto
Contributor III

@hkabik Without specifying the new user password, the updatePreboot command does not work. I'm using one script/policy to enable FV and to update the FV password.