I know at this point every time we see the term "Secure Token," we're ready to rip skin. However, I've encountered a specific issue about which I can't find any other ongoing discussions. Here's my scenario:
I'm in the midst of deploying FileVault encryption on all the Macs in my company. These are existing machines, not new machines. I have workflows that work for machines that were initially setup on High Sierra. My issue now is machines that were upgraded to High Sierra from a previous version of macOS.
From what I can tell, there aren't any users on these systems that have a Secure Token. (I have extension attributes setup that detect the secure token status of the 501 and 502 users, and neither show as enabled.)
Has anyone else encountered this?
So I think I have the start of an answer:
When a pre-10.13 machine is upgraded t0 10.13, no account is automatically issued a secure token. Instead, the first account that activates FileVault is given a secure token. So I created a new smart group for these machines, and will apply the same policy I use for the 10.12 machines to kick off FileVault.