T2 Chip + Startup Security Utility

zinkotheclown
Contributor II

I ran into this odd issue with a new MacMini (Macmini8,1) with 10.14.3 preinstalled.

I am testing NoMAD with NoMADLogin and I have the first user log in and that creates their account. Jamf Pro then runs a policy to encrypt the device with our institutional key and to add a EFI password lock.

When I boot to the recovery partition, I find that I am unable to disable the EFI password in the Startup Security Utility due to “No administrator was found”. None of the local accounts are listed on the dropdown.

I would think this occurs if the admin account is missing a securetoken but that’s isn’t the case as I was able to encrypt the MacMini.

The only way I can disable the EFI password is to blow the OS away, enroll the device with MDM, then log in as the local admin account that is created during the prestage enrollment. Once I'm in the recovery partition, then the Startup Security Utility usually allows me to disable the password lock with this account.

Has anyone experienced this?69ecd1d520fd4c89a0b102220867b965

1 ACCEPTED SOLUTION

zinkotheclown
Contributor II

@sshort Thanks for that article!!! From that I was able to figure out that "diskutil apfs updatePreboot /" updates the accounts that appear at preboot.

The only other issue I still have is getting the local techsupport account to show up on preboot without resorting to the first user to issue a secureToken.

View solution in original post

8 REPLIES 8

Cayde-6
Release Candidate Programs Tester

You can encrypt a Mac without a secure token now but you are correct that an admin account requires a secure token to edit the EFI security settings.

sshort
Valued Contributor

Here's a link on secureTokens not being totally necessary to enable FileVault anymore: https://travellingtechguy.eu/mojave-10-14-2-and-secure-tokens-it-works/

I haven't messed with NoMadLogin in a while, I believe it will happily create just a standard user account unless you specify in a profile/plist that you want that user to be an admin. That might be the cause of that "No administrator was found" message.

zinkotheclown
Contributor II

I'm not so sure about 10.14.2 and up not requiring a secureToken to encyrpt the Mac. On our setup, we have a PreStage enrollment that creates a local techsupport account for our site techs. Normally, I would advise the techs not to sign in as techsupport and have the end user sign in first in order for them to get the secure token first and that user usually is forced to encrypt the Mac with a policy that includes our institutional key.
On these T2 MacMini's I still find that is the case. If I log in as the local techsupport account first, the end user is unable to encrypt their Mac. I have to issue a secureToken to them with the techsupport account after they log in. I can workaround the “No administrator was found” in the Startup Security Utility as I can disable the EFI password with Jamf Pro or the firmwarepasswd command.
The bigger issue is when I have to decrypt the Mac due to the end user forgetting their password or something caused it to change without their knowledge. If I go into the recovery partition and I don't log in as the techsupport account first, I am unable to open Terminal to decrypt the device with the institutional key because I will get the “No administrator was found” error.

zinkotheclown
Contributor II

@sshort Thanks for that article!!! From that I was able to figure out that "diskutil apfs updatePreboot /" updates the accounts that appear at preboot.

The only other issue I still have is getting the local techsupport account to show up on preboot without resorting to the first user to issue a secureToken.

Gascolator
New Contributor III

I'm having this issue in Big Sur. Our PreStage enrollment creates a hidden local admin account on the machine. Our users are AD bound mobile non-admin users and are the first to login. They get the security token. I'm unable to turn off startup security as I get the no admin found. On a test machine I elevated a standard user to admin and then granted a security token to the local admin account. I booted back into the recovery partition and the issue persists. I tried "diskutil apfs updatePreboot /" as well as making the local admin account unhidden. I can't find anything that works.

BookMac
Contributor

I have the same issu. Big Sur Pre Stage Enrollment with hiden local admin. The users are local with jamf connect. I am not able to deny the Start from external devices.

Gascolator
New Contributor III

Of the three machines I'm testing, I was able to elevate the standard user and issue the secure token to the local admin. However, only on one of them does that local administrator account show up in the recovery partition under boot security after issuing the security token.

Gascolator
New Contributor III

Update: logged in as a user and removed admin rights from my local admin account - rebooted - logged back in as a user - elevated local admin account back to admin - rebooted - logged back in as user and confirmed security token on local admin account - rebooted into recovery partition, my local admin account now shows up in Startup Security. Not a workable solution long term but it gets these few machines that I've already deployed working.