When our users change passwords (not via nomad) - IT change via AD etc, when a user logs in using the new password on the network, updates keychain password etc and restarts. It still doesn't update the FileVault login. distil apfs updatePreboot / works 10% of the time, we are having to update fdesetup by removing the users and re-add via terminal to sync the passwords. Is there any known fix?
@mark.mahabir Nomad seems fine at the moment, even though I haven't tested much. Our issue is we cannot use local accounts (Security etc) and users either let their passwords run down past zero and First line IT reset it remotely for them and/or in cases of security breach, IT Security reset the account passwords. This is beginning to become a major issue for us.
@kowsar.ahmed Yes, there was a big thread on this topic in the MacAdmins Slack a few weeks ago. If you have an Apple support agreement, or have an Apple rep assigned to your org it would be great for you to add to the pile of complaints.
The problem will occur if the password is changed off the Mac in something like Active Directory or Okta (but I'm not sure if there's a difference if on-network/off-network). The workaround is to remove the secure token, then re-assign the securetoken to the affected user.
Apple's current response is that they're aware of the problem, however there was not a full commitment to resolve the issue until macOS 10.15 (at the earliest).
fdesetup isn't always working for you, others reported success with
sysadminctl -adminUser $LocalAdminWithSecureTokenHere -adminPassword $LocalAdminPasswordHere -secureTokenOff $ADUserNameHere -password $ADUserPasswordHere sysadminctl -adminUser $LocalAdminWithSecureTokenHere -adminPassword $LocalAdminPasswordHere -secureTokenOn $ADUserNameHere -password $ADUserPasswordHere
How do you re-sync the FV password with AD when the user does have a token? We have a user with 2 Macs so when he changes on 1 with users&groups, the other one goes out of sync. FV says they have a token on both machines.
Be sure to have your users change the password in Users & Groups. When they do this the password is changed in 3 places.
You can still change the password off the Mac but have to meet certain OS criteria.
3. 10.14.4 >
Will NOT work