Macintosh HD unmounted and cannot be remounted...

brenton_noon
New Contributor

Hello all,

We recently started using Jamf in our school district and ran into a very weird issue recently that quite frankly I can't explain and a couple hours scouring the internet was of little to no help. I figured I'd put it up here and see if anyone has any insight, so here's the scoop.

So far this has happened on 2 separate MacBook Airs (2019 model). Can't confirm exact timing but they were within a day of each other for sure. Both reports and subsequent symptoms were identical. The teacher was having trouble connecting to the wifi and restarted the machine. When it came back up, the usual "Username/Password" login screen was not there. Instead, the local administrator account appeared there with a space for the password. Since she could not get in from there she brought it to me.

However, when I entered the password for the local admin account it didn't work. Tried several times and made absolutely sure it was being entered correctly.

Stumped, I booted into recovery mode, and checked the Disk Utility, only to find that the internal system boot disk was unmounted. I attempted to re-mount it but nothing happened. Tried First-Aid and it failed, tried using the Terminal to repair the disk, still failed. Tried safe mode to no avail. Ultimately I could get nothing to work but erasing the disk which then mounted it afterward and I could re-install the OS and so far it's running as expected again. Teacher lost her data though.

Figured it was a one off fluke that night, but was greeted by an email from a colleague asking if anybody else had seen this the following morning, so now I'm concerned.

If anybody can shed some light on what might've caused this, how to solve without data loss, or anything worth trying or checking into I would greatly appreciate it. I can't tell if this is a hardware fault, OSX related, Jamf related, or perhaps a combo. Is there any normal reason the System HD would unmount/appear unmounted like that? It's a mystery I would like to solve before it claims any other victims.

First post here, but having gotten great info from this forum even BEFORE we had Jamf, I'm hopping someone has some bright ideas. At this point the machines have been restored so I can't provide screenshots but if there is further info needed I will do my best to provide it. Thanks!

8 REPLIES 8

a_stonham
Contributor II

If i had to guess it sounds like Filevault was enabled and the local admin account was the only account with a secure token.

jamesandre
Contributor

Just had this happen yesterday with a MacBook Pro (15-inch, 2018) running 10.14.6. Waiting to get a look at it.

In my case Secure Token was enabled for both user accounts.

brenton_noon
New Contributor

I was leaning toward a FileVault as well. @a.stonham if the local admin account had the secure token, shouldn't i have been able to log in using it's credentials? or am I missing something here?

@jamesandre Nice to hear it's not just us, let me know your findings. These devices are also on 10.14.6, I'm wondering if there's something to the double account secure token? If Secure Token was enabled for BOTH the local admin AND the user's account, would that have kept me from being able to unlock it?

Is this the way FileVault is SUPPOSED to function? or is something awry? Is there a way I could unlock it from the recovery terminal? or Jamf for that matter? From what I can tell the only way to turn it off is from within the OS, but if it's not taking my local admin credentials I have no way of getting in.

Also, if someone knows a script or config that would keep users from being prompted to create a secure token upon first login I would love to know about it. Right now that's the only way a non-admin user could have done so. It was a bit of an oversight in our first deployment using Jamf. Any help with that would be much appreciated as I feel it could prevent this issue in the future. Thanks!

jamesandre
Contributor

I haven't been able to mount, unlock, or decrypt the volume. Have tried user accounts, personal and institutional recovery keys too.

brenton_noon
New Contributor

@jamesandre Indeed. I am experiencing the same. EXCEPT, unlike your case, none of ours have secure token enabled for any user. Just got a 4th one this morning. This one was left closed and on site all weekend. Had about 40% battery according to reports. But we she got in this morning it was completely drained, which is strange for it being closed the whole time. Once she got it charged back up enough to boot this issue had taken hold of her device as well.

Also relevant to point out that we had a device that was NOT currently enrolled in Jamf also become a victim.

Wondering about the possibility of a malicious software/actor at this point. Or perhaps a corrupted update. I am attempting to make a device do this at this point. Will post with any findings. Please keep me updated with any relevant info as well.

damienbarrett
Valued Contributor

I saw this yesterday on a 2018 MacBook Air running 10.14.6. User says she was trying to run the latest security update, and upon restart, we were presented with what appears to be a FileVault login window with her username listed. But her password (and she's 100% confident that she's typing it correctly) does not work. No am I able to get to our "Admin" user login because it's at the FileVault login window (not the OS login window). Booting to recovery mode shows the "Macintosh HD" as unmountable. When I turn off Startup Security and boot from a Tools drive, the drive still won't mount. The super curious thing is that FIleVault was NOT ENABLED for this user. Only our faculty are allowed to enable FileVault and this was a student. Also, when I "Get Info" on the volume while booted from Recovery or from the Tools Drive (click on the little "I" button in the top right corner of Disk Utility), it says that the volume is not encrypted.

So, I'm at a total loss here. User is locked out of her system by what appears to be FileVault, but FV wasn't enabled, and while it's enrolled in our JSS, there is no institutional or personal recovery key set (because FV was never enabled!). User insists she's using her account password to authenticate, but it doesn't work. Using the "password reset" tool doesn't work in Recovery mode because I can't get the Macintosh HD to mount.

brenton_noon
New Contributor

@damienbarrett Thanks for the input. I hadn't checked the "Get Info" in the disk utility. Ours also reported that the disk is NOT encrypted. Strange that it's acting as such though right? We also did not have FileVault enabled. We were wondering if perhaps a failed update had corrupted the drive somehow causing this behavior. Your reports seem to possibly support that theory. Have yet to contact Apple support on the issue. Still no hope of data recovery at this point.

jamesandre
Contributor

I believe the security update was run also.

Running "diskutil apfs list" reveals an error for the boot volume (disk1s1) and VM volume (disk1s4).

So maybe the security update corrupted the volume information.

eb03731deff74b67a2d29afcafc61b62