Posted on 02-01-2019 09:50 AM
I've seen a couple of threads on this issue, but I thought I'd share a script that I use in Self-Service in case anyone has a need. There's interactive osascript
prompts to revoke & reassign securetoken, and then update the preboot volume to resolve the issue. No need for fdesetup
.
If you have a mobile AD user on Mojave and the password is reset off-device (like in AD/Okta/or a Windows PC) then the new network password never syncs with FileVault, and the login window password will sometimes revert to the "old" password if the user is off-network.
I'm also using LAPS at my org, so this script pulls the current LAPS pw from an extended attribute for use with sysadminctl
, but you can easily take that variable out, if needed.
Posted on 02-01-2019 11:41 AM
I didnt know about
dscl /Local/Default -authonly $currentUser $userNetworkPass
was a way to verify the users password. I like that!
Posted on 02-03-2019 05:08 AM
thanks, I was hoping they would have resolved this in the 10.14.3 release but haven't had an opportunity to check.
Posted on 02-03-2019 03:30 PM
This is the first I've heard of this FileVault password sync bug. Does the same thing happen with NoMAD? I have the NoMAD setting turned on in my org to update passwords via NoMAD if they change elsewhere.
Posted on 02-04-2019 06:23 AM
@jwojda supposedly 10.14.4 fixes it. I've yet to test it. Just heard rumblings.
Posted on 02-28-2019 10:13 AM
Hey, thank you for making this! Im having an issue though, i managed to get it to run on a users computer and it completed without errors however it didnt fix the issue! The user can still use their old AD password and new AD password to log into the machine. Is there anyway of troubleshooting this?
Thanks!
Posted on 03-01-2019 07:30 AM
@Dylan_YYC I would check that the local admin account being used to reissue secureToken has secureToken itself.
sysadminctl -secureTokenStatus $localUserHere
Aside from that, I did encounter a user who let their AD password expire, and this script alone did not resolve the issue. I had to use diskutil apfs list
to find the UUID and disk identifier. Then use that info to populate the command below. When I get some time I will incorporate that into the existing script so it's more automated and not so manual.
diskutil apfs changePassphrase $diskIdentifer -user $UUID
Posted on 03-26-2019 08:29 AM
10.14.4 does not fix this issue
UPDATE: After updating to 10.14.4 - attempt to login with mobile/AD account get "account locked" message.
Enter FileVault key on lock screen, at which point you will be prompted for AD password again. Logged in and issue seems to be resolved after several shutdown/restart attempts as well as making sure device is completely off network.
Posted on 03-26-2019 08:42 AM
It seemed to mess up keychains and reverted my machine login (was correct) to my FileVault (incorrect) password, stopped my applewatch from working and when i tried to enable it it said my machine password and my login keychain passwords were not synced (login keychain was unlocked).
Edit: Update - Once I got into the office this morning and plugged into the LAN, the machine synced up the passwords correctly, though I haven't done a password change since installing to verify it's fixed ongoing.
Posted on 03-26-2019 09:51 AM
I also wrote this script to help update filevault passwords (wrapper for diskutil apfs changePassphrase
, current user inputs old password and then new password (new password is checked for accuracy)
https://github.com/koalatee/scripts/blob/master/macOS/changeAPFSPassphrase.sh
Posted on 03-29-2019 05:19 AM
@jubei I am using NoMAD and am finding this password sync issue with all my Mojave Macs :(
Posted on 04-05-2019 09:55 AM
So here is what I found:
If a user changes their password via NoMAD, the FV2 password gets updated.
If a user changes their password elsewhere, even if NoMAD detects and updates the password, the FV2 password does not get updated.
I put Koalatee's script in Self Service and it's updating the passwords as expected. Thank you! Hopefully Apple fixes this.
Posted on 04-11-2019 12:09 PM
@jubei be sure to open a ticket with Apple on it, or they won't! :) Share the ticket # here so others can reference it/jump on the bandwagon when they open one.
Since installing 14.4 yesterday, I'm also seeing weirdness...my FV password was (and still is) out of sync with AD/mobile account. Will try above script to remedy that. Other items noticed:
1. Can't use TouchID to unlock
TouchID Preference has "Unlocking your Mac" disabled
I can re-check it, enter my password, and it accepts, but re-opening TouchID prefs has it unchecked again and if I do it too quickly, gives me "Cancelled by another authentication". Seems to be a long-standing issue going back to Sierra at least, with fix "delete your keychain" sigh
2. Unlocking system takes a long time (~15 seconds) - regardless of if I'm on company network (VPN) or fully mobile (I WFH so rarely on the physical network). Seems like it is trying to reach out to the domain to verify, then giving up?
Posted on 12-17-2019 12:22 AM
I also had the same problem that the password was not changed automatically after changing in FileVault.
For this I had written a small script for the users. Users can change the password manually in Self Service. Maybe it will help someone.
#!/bin/sh
##########################################################################
# Shellscript : Allows you to change the FileVault password
# Autor : Andreas Vogel, 31.10.2019
##########################################################################
## variables
user=$(stat -f '%u %Su' /dev/console | cut -d ' ' -f 2)
UUID=$(dscl . -read /Users/$user GeneratedUID | awk '{print $2}')
askPassphrase () {
osascript <<EOF - 2>/dev/null
tell application "SystemUIServer"
activate
text returned of (display dialog "$1" default answer "" with hidden answer)
end tell
EOF
}
jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
jamf="/usr/local/bin/jamf"
## Icon
FileVaultIcon="/Library/Application Support/JAMF/SmallFileVaultIcon.png"
ErrorIcon="/Library/Application Support/JAMF/France_road_sign_A14.svg.png"
SuccessfulIcon="/Library/Application Support/JAMF/ok-1976099_640.png"
######################################################################################################################################
## Messages
Message="
This program synchronizes the Windows password and the FileVault password.
Only proceed if the Filevault password does not match the current Windows password."
FailedPwMessage="
The verification of the password failed, please re-enter the new password."
FailedPwMessageAgain="
The input does not match again. The program is ended."
FailedChange="
The password could not be changed. Try again. If the problem persists, contact the Mac_IT."
SuccessfulChange="
Your password has been changed successfully."
######################################################################################################################################
## Query whether the user really wants to change the password.
HELPER=$("$jamfHelper" -windowType utility -icon "$FileVaultIcon" -title "Change FileVault password" -description "$Message" -button1 "OK" -button2 "Cancel" -cancelButton "2" -defaultButton 2)
echo "Jamf Helper Exit Code: $HELPER"
## If the user agrees, the old password and the new password will be requested.
if [ "$HELPER" == "0" ]
then
oldPassphrase=$(askPassphrase 'Please enter the old password.') || exit
newPassphrase=$(askPassphrase 'Please enter the current Windows password.') || exit
newPassphrase2=$(askPassphrase 'Please enter the current Windows password again.') || exit
## Check whether the new password matches.
if [[ $newPassphrase != $newPassphrase2 ]]
then
HELPER=$("$jamfHelper" -windowType utility -icon "$ErrorIcon" -title "Wrong Entry" -description "$FailedPwMessage" -button1 "OK" -defaultButton 1)
echo "Exit Code: The entry did not match"
newPassphrase=$(askPassphrase 'Please enter the current Windows password.') || exit
newPassphrase2=$(askPassphrase 'Please enter the current Windows password again.') || exit
fi
## Check again. If the recheck is faulty, the tool is terminated.
if [[ $newPassphrase != $newPassphrase2 ]]
then
HELPER=$("$jamfHelper" -windowType utility -icon "$ErrorIcon" -title "Renewed wrong entry" -description "$FailedPwMessageAgain" -button1 "OK" -defaultButton 1)
echo "Exit Code: Die Eingabe war erneut falsch."
exit 1
fi
## If the tool was not closed, the password is changed.
if diskutil apfs changePassphrase disk1s1 -user $UUID -oldPassphrase $oldPassphrase -newPassphrase $newPassphrase
then
printf HELPER=$("$jamfHelper" -windowType utility -icon "$SuccessfulIcon" -title "Successful Change" -description "$SuccessfulChange" -button1 "OK" -defaultButton 1)
echo "Exit Code: Password has been changed succesfully."
else
printf HELPER=$("$jamfHelper" -windowType utility -icon "$ErrorIcon" -title "Error" -description "$FailedChange" -button1 "OK" -defaultButton 1)
echo "Exit Code: Password could not be changed. Is the old password correct?"
fi
fi
exit 0
Posted on 01-21-2020 02:29 AM
Thanks @avogel. I've just added this to our Self Service for any Filevault MacBook. We've been trying to find a clean solution to this for months!
Posted on 01-03-2021 10:59 PM
@avogel nice concept pls have a look user therein out of the office and try changing the domain password so needs validation check network also, for example, VPN or AD just password change its nice in this vay but Domain user is this work and what about the FileVault password change