Posted on 12-04-2014 04:14 PM
I've run into this problem a few times now but unfortunately I can't seem to reproduce it myself. User accounts are all Local.
I have a new MacBook I provision, FileVault turned on and I send it to the user. They login and change their password. When they boot up again and at the FileVault screen, their new password doesn't work. They have to enter the old password, then they get the login screen and must use the new password.
Very odd. Running 10.10.1 on all of them.
Posted on 12-05-2014 11:48 AM
After a couple days the user said the FileVault login screen is now accepting his new password. Seems like whatever mechanism OS X is using to update the Recovery HD didn't kick off until a few reboots later. Like I said, i can't reproduce the error but 2 different people had the same problem, so I do believe them, even if they are end users. :)
Posted on 12-05-2014 12:17 PM
We see that too. It's not reproducible at will, but it happens often enough.
Posted on 12-05-2014 12:22 PM
Yeah, same here. Its random and kind of unexplainable, but sometimes the password just doesn't sync up right away. In some rare cases, it never actually syncs and we need to take some more drastic measures. Don't know why. I suspect bugs in Apple's FDE process that handles the password syncing.
Posted on 12-10-2014 01:23 AM
have you tried an "fdesetup sync", even if these accounts are local?
Posted on 12-10-2014 04:40 AM
fdesetup sync will not help you update the password; this is an area where the fdesetup sync command can be a little misleading. It does not pull users or passwords from your directory service. Instead, it's used to automatically remove users from a Mac’s list of FileVault 2-enabled users.
The general idea is that, as people leave and their accounts are removed from your AD or OD server, you can run fdesetup sync with root privileges on your Macs and those removed accounts will also be removed from the Mac’s FileVault 2 pre-boot login screen.
The sync only affects the account’s FileVault 2 status and will not remove the account or account home folder from the Mac. One other important thing to know is that fdesetup sync does not allow accounts to be automatically added, only removed.
Posted on 01-15-2015 05:40 AM
I have a Radar open with Apple for a similar issue (which they replied to by explaining to me how to enter a password, but that's another story), and I'm wondering if you're seeing the same thing.
Out of curiosity, is "Require user to unlock FileVault 2 after hibernation" enabled on a configuration profile, or have you enabled the destroyfvkeyonstandby option manually, on the affected computer? If that is enabled on any of my managed devices, the FDE stored key doesn't update properly. Bug # 19360344, if anyone wants to reference it.
Posted on 05-20-2015 11:20 AM
@bvrooman Sorry for such a late response, didn't even notice. I do not have require user to unlock FileVault2 after hibernation enabled. I did change it on like 3 computers to test but none of those users were the ones having problems.
Posted on 10-15-2015 01:08 PM
Thanks to @rtrouton for pointing me to this script which I'll be using to update the FV password