Local Password change not updating FileVault password

matt_jamison
Contributor

I've run into this problem a few times now but unfortunately I can't seem to reproduce it myself. User accounts are all Local.

I have a new MacBook I provision, FileVault turned on and I send it to the user. They login and change their password. When they boot up again and at the FileVault screen, their new password doesn't work. They have to enter the old password, then they get the login screen and must use the new password.

Very odd. Running 10.10.1 on all of them.

Any ideas?

8 REPLIES 8

matt_jamison
Contributor

After a couple days the user said the FileVault login screen is now accepting his new password. Seems like whatever mechanism OS X is using to update the Recovery HD didn't kick off until a few reboots later. Like I said, i can't reproduce the error but 2 different people had the same problem, so I do believe them, even if they are end users. :)

alexjdale
Valued Contributor III

We see that too. It's not reproducible at will, but it happens often enough.

mm2270
Legendary Contributor III

Yeah, same here. Its random and kind of unexplainable, but sometimes the password just doesn't sync up right away. In some rare cases, it never actually syncs and we need to take some more drastic measures. Don't know why. I suspect bugs in Apple's FDE process that handles the password syncing.

m_entholzner
Contributor III
Contributor III

have you tried an "fdesetup sync", even if these accounts are local?

rtrouton
Release Candidate Programs Tester

fdesetup sync will not help you update the password; this is an area where the fdesetup sync command can be a little misleading. It does not pull users or passwords from your directory service. Instead, it's used to automatically remove users from a Mac’s list of FileVault 2-enabled users.

The general idea is that, as people leave and their accounts are removed from your AD or OD server, you can run fdesetup sync with root privileges on your Macs and those removed accounts will also be removed from the Mac’s FileVault 2 pre-boot login screen.

The sync only affects the account’s FileVault 2 status and will not remove the account or account home folder from the Mac. One other important thing to know is that fdesetup sync does not allow accounts to be automatically added, only removed.

bvrooman
Valued Contributor

I have a Radar open with Apple for a similar issue (which they replied to by explaining to me how to enter a password, but that's another story), and I'm wondering if you're seeing the same thing.

Out of curiosity, is "Require user to unlock FileVault 2 after hibernation" enabled on a configuration profile, or have you enabled the destroyfvkeyonstandby option manually, on the affected computer? If that is enabled on any of my managed devices, the FDE stored key doesn't update properly. Bug # 19360344, if anyone wants to reference it.

matt_jamison
Contributor

@bvrooman Sorry for such a late response, didn't even notice. I do not have require user to unlock FileVault2 after hibernation enabled. I did change it on like 3 computers to test but none of those users were the ones having problems.

lkrasno
Contributor II

Thanks to @rtrouton for pointing me to this script which I'll be using to update the FV password

https://github.com/jamfit/Encrypted-Script-Parameters