I'm a little confused at a situation I just dealt with restoring a computer from a Time Machine backup. The Time Machine backup was 10.14.3 and the new computer is 10.14.3.
We started with a brand new computer.
1. Booted to recovery and chose the option restore from Time Machine
2. Logged into mobile admin account
3. Ran sysadminctl -secureTokenStatus
on every user and they all returned as Disabled
(2 local admin accounts and 1 mobile admin)
4. Opened System Preferences and enabled Filevault and chose to store the key with Filevault
5. Enabled two users for testing (mobile admin and one local admin)
6. Filevault began encrypting
7. Ran sysadminctl -secureTokenStatus
on and the two users were enabled for filevault and the command returned as Enabled
To be clear we never used the Setup Assistant to create an account. Time Machine was run from recovery.
I'm just trying to figure out why we were able to enable Filevault. I thought one account required a secureToken before you could turn it on.