I had something come up the other day that used to work perfectly fine on High Sierra and earlier.
I've got a user that forgot the password for their account -- used the escrowed FileVault recovery key to unlock the disk, which worked, but when that was done it prompted them to reset their password (totally expected).
The catch is that it wanted the "Master Password" before they could reset their password.
We're in an AD environment, but even with a local user I experience issues -- basically it unlocks this disk and then pops up and asks for a password again (which isn't helpful if the user has forgotten their password).
This doesn't appear to be an APFS issue because I didn't have this issue on High Sierra with APFS + encrypted Macs.
Both my test Mac and the user's Mac are 10.4.4, so I can't say whether this is all of Mojave or unique 10.4.4.
Curious if anyone else has dealt with this.
There is a known bug with the FileVault recovery process on 10.14.4 specifically. We use local accounts and the behavior is that after using a recovery key it does not let you reset the password unless you use the password utility from the recovery partition. Apple has confirmed the bug.
@mapurcel I am also able to reproduce on 10.14.3 I just confirmed.
If it's a confirmed bug, maybe it's just been noticed finally on 10.4.4?
@dswitmer User had to come on-site, I had to manually login and touch the machine and then reset with our AD server -- which is not exactly ideal for a variety of reasons.
EDIT, oh, it looks like you're not asking me for the follow-up. Also curious. Ignore me! 🙂
We use local accounts and the bug is only present on 10.14.4. When a FileVault Recovery Key is used, the user is prompted to reset the password but no password is accepted (shakes). At this point the user is locked out of the machine at the login screen. You can use password utility to reset the user account password and successfully login with the new password.
It gets even more complicated on single users systems that have a T2 chip, which require authentication to use Terminal in recovery.
Also worth noting that in our testing if you have an institutional key on the system you'll get a confusing 'Master Password' prompt after attempting to set a new password for the local user using the individual key at the FV login screen. There is no master password set and you will not be able to enter anything successfully in this prompt. Apple has acknowledged this defect with us and is investigating.
I wrote about this here.
For 10.14.4 if you can't get into the terminal due to FV2 on a T2 device and you have the firmware password off you can wait 1 min then the screen will say did you reset your password? If so power the system off now and you will be booted to reset password utility.
You can read about what you have to do to reset an AD Mobile Account user here.