Jamf Nation Community

lrabotteau · ‎12-06-2017

Hello ,

I've got an issue with Filevault and my AD users account.

We've a policy about the expired time password for my AD users enable on Filevault ,

On High Sierra the command line : "fdesetup sync" is not working because is an APFS Volumes for sync AD password with my AD Filevault users.

Someone know an other solution for this ?

They are on MBA and not all time with a network , we have to open a local admin session because their Encrypt session need the older password and sometime they don't know him.

If someone have an idea about this.

Thanks

fafawe · ‎01-26-2018

I'm getting the same messages as you are. "This command is not supported on APFS volumes." I would also be interested in how to do it with APFS.
(We only have local Admin Accounts and none AD Accounts)

Thanks :)

ClassicII · ‎01-26-2018

This should be fixed on 10.13.3 and will not sync properly once the machine can connect with ad and the user has logged in with the new password.

ammonsc · ‎02-15-2018

I am having the same issue. Changed password restart or logout. I have to login first with old password then with AD Credentials

AVmcclint · ‎03-21-2018

I have a tester Mac running 10.13.3 and it still takes days or weeks for the password to sync up.

mark_mahabir · ‎09-10-2018

For those searching around this topic, here are some more recent experiences/thoughts.

hkabik · ‎09-10-2018

sudo diskutil apfs changePassphrase <your APFS volume, like: disk1s1> -user <the Disk User cryptographic UUID, like: 12345678-1234-1234-1234567890AB>

Will change the FV2 password, but requires you to know the users old password and their new one. I'm working on a Self Service Script to allow users to do this on their own as it has worked for us across the board when both passwords are known to the user.

MrRoboto · ‎09-10-2018

We are using the following script for users to enable FV via Self Service, I found it on here from another member (sorry I don't remember who). It also works to update the FV password after an external AD password change.

#!/bin/sh
# This script is intended to be used with JAMF Self Service. It will enable SecureToken for the currently logged in user account
# and either add it to the list of to FileVault enabled users or enable FileVault using a Personal Recovery Key.

# Your policy must include script parameters for a SecureToken enabled administrator username and password. For more information
# on using script parameters, please see https://www.jamf.com/jamf-nation/articles/146/script-parameters.

adminUser="$4"
adminPassword="$5"
userName1="$3"
userName2="$6"

# Uses AppleScript to prompt the currently logged in user for their account password.
userPassword1=$(/usr/bin/osascript <<EOT
tell application "System Events"
activate
display dialog "Please enter your login password:" default answer "" buttons {"Continue"} default button 1 with hidden answer
if button returned of result is "Continue" then
set pwd to text returned of result
return pwd
end if
end tell
EOT
)

# Enables SecureToken for the currently logged in user account.
enableSecureToken() {
    sudo sysadminctl -adminUser $adminUser -adminPassword $adminPassword -secureTokenOn $userName1 -password $userPassword1
}

# Creates a PLIST containing the necessary administrator and user credentials.
createPlist() {
    echo '<?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>Username</key>
    <string>'$adminUser'</string>
    <key>Password</key>
    <string>'$adminPassword'</string>
    <key>AdditionalUsers</key>
    <array>
        <dict>
            <key>Username</key>
            <string>'$userName1'</string>
            <key>Password</key>
            <string>'$userPassword1'</string>
        </dict>
    </array>
    </dict>
    </plist>' > /private/tmp/userToAdd.plist
}

# Adds the currently logged in user to the list of FileVault enabled users.
addUser() {
    sudo fdesetup add -i < /private/tmp/userToAdd.plist
}

# Enables FileVault using a Personal Recovery Key.
enableFileVault() {
    sudo fdesetup enable -inputplist < /private/tmp/userToAdd.plist
}

# SecureToken enabled users are automatically added to the list of Filevault enabled users when FileVault first is enabled.
# Removes the specified user(s) from the list of FileVault enabled users.
removeUser() {
    sudo fdesetup remove -user $adminUser
    sudo fdesetup remove -user $userName2
}

# Update the preboot role volume's subject directory.
updatePreboot() {
    diskutil apfs updatePreboot /
}

# Deletes the PLIST containing the administrator and user credentials.
cleanUp() {
    rm /private/tmp/userToAdd.plist
}

#

enableSecureToken
createPlist
if [ "$(sudo fdesetup status | head -1)" == "FileVault is On." ]; then
    addUser
else
    enableFileVault
    #removeUser     # We do not want to remove users at this time
fi
updatePreboot
cleanUp

hkabik · ‎09-10-2018

The part of that script that is syncing the user password to the crypto account password is:

diskutil apfs updatePreboot /

In my testing that does work sometimes (I really can't say what causes it to either work or not), but I've only had 100% success with the changepassphrase command. But in many cases I have seen updatePreboot work as well.

MrRoboto · ‎09-10-2018

@hkabik Without specifying the new user password, the updatePreboot command does not work. I'm using one script/policy to enable FV and to update the FV password.

Jamf Nation Community

FileVault Sync PWD User AD High Sierra