Macbook Pro 2018 and Disk Password

Contributor III

So finally got a shiny (well space gray) new MacBook Pro 2018 on Friday, and my whole weekend went kaput. So I'm looking to see if anyone is having similar issues and if they have any solutions. I suspect I might need to contact on this one.

So our imaging process involves user-enrollment. During the process it turns on FileVault via the following:
diskutil apfs encryptVolume /dev/disk1s1 -user disk -passphrase <passphrase>

This process has served us well for many years since Apple started their secure token trick. But when we use this with the new MacBook Pro 2018, it works, but not really. When rebooting, you see the admin user and Disk Password. When you select Disk Password and put in the phrase in, it doesn't work. It gives the wrong password jiggle.

This morning I've imaged two old machines, and 4 virtual ones in VM and confirmed that they all work ok. Had to use internet recovery to put the new MacBook Pro 2018 to factory conditions and test again...buts of far seeing Disk Password fail using it.

Anyone else seeing this?


Valued Contributor

Are you actually imaging it? Like wiping and re-installing a specific version of macOS?

Or you just mean your set up process involves that command.

Contributor III

@boberito were not wiping it....using the OS that is already on it.

Here's a quick test if you want to try it:
1) Get a MacBook Pro 2018
2)Boot up and create admin account
3)Go into terminal and type the following:
diskutil apfs encryptVolume /dev/disk1s1 -user disk -passphrase test1234

5)Click on Disk Password and type in test1234

Also when going into CMD-R afterwards when you try to unlock the disk using Disk Password test1234 still doesn't work.

UPDATE: So tested the command without the passphrase, which prompts me for the phrase....still didn't like it after rebooting.

New Contributor III

What I found with our T2 chip enabled MacBook Pros is that the Apple Setup Assistant does not create the SecureToken when the first administrator account is created. The SecureToken is created only AFTER manually starting the FileVault process (you can cancel the process where FV asks for where to save the key).

Still digging....

Contributor III

@mortopc4 Will test on my side as well and report back.

UPDATE: so it did work, but only shows the user and not the "Disk Password". Will keep testing.

Contributor II

In our environment we have a Jamf policy with enable fileVault run when the user logs in - this enables filevault at next boot - once the disk is encrypted I have a script that runs that prompts the user for their password (hashed) which enables the management account for FileVault - works like a charm for even the new 2018 macs.

Contributor III

@bwiessner Looking at the script, I'm trying to figure out some of the parts. I can't see to find a MAN file for sysadminctl to figure out what the SALT is. Would like to test the script on one of our machines to see if it works, but trying to figure out what to put in for SALT.

NVMR...Salt is for the encryption......figured it out.