Hi there, any luck with this issue? We have a user here experiencing the same exact problem.

Are you by chance using Sophos AV?

@jmahlman Yes, as a matter of fact, we do use Sophos AV on all of our machines....

@mlee Try removing Sophos and see if the issue persists. We had the same problem and it was being caused by Sophos...we're still not sure why. (FYI, this is the reason we dropped Sophos)

I used @rtrouton's script.

@jmahlman Thank you so much, will give that a try later when the user is available (fingers crossed!)

@jmahlman Thanks again for your suggestion, unfortunately, this did not resolve our issues at hand :( User is still unable to login unless logging off a local user first. Will continue to investigate.

@mlee we are experiencing the same issue as you describe here. Did you manage to get to the bottom of it?

Hi, I am experiencing the same issue. We are using Centrify and SEP.

@cbruce @craitdepartment I definitely suggest revoking and reassigning the user's secureToken (and then update the preboot volume) to address weird login issues on AD accounts. Check out this script I put together to address the issue.

We started experiencing this issue as well. To fix the issue

sudo mkdir /tempprofiles/USERNAME
sudo cp -Rv /Users/USERNAME /tempprofiles/USERNAME

Delete the user from System Preferences > Users % Groups Unbind from the domain, rebind to the domain
Have the user login > Ensuring Mobile account is set (we do this automatically but others may not).

sudo /bin/cp -Rvf /tempprofiles/USERNAME /Users/USERNAME
sudo chown -Rv USERNAME /Users/USERNAME

I don't know how to fix it but it is related to FileVault and the user incapable of unencrypt the hard drive. I am experiencing the same.

I created the following script as part of a self service policy. It will prompt the user for their current password and then will remove them from the FV2 users and re-add them.

You need to pass it the local admin user name and password as variables 4 and 5

#! /bin/bash

https://www.jamf.com/jamf-nation/discussions/26608/adding-user-to-filevault-using-fdesetup-and-recovery-key

adminName=$4 adminPass=$5 userName=$( scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' ) fdesetup remove -user $userName if [[ "$userName" == "adminName" ]] || [[ "$userName" == "admin0417" ]]; then echo "Admin user is logged in." exit 1 dialog="Do Not run this tool when logged in as Admin! Exiting!" cmd="Tell app "System Events" to display dialog "$dialog"" /usr/bin/osascript -e "$cmd" fi echo "prompting user for Account Password" userPass=$(/usr/bin/osascript<<END tell application "System Events" activate set the answer to text returned of (display dialog "Enter your Current Account Password:" default answer "" with hidden answer buttons {"Continue"} default button 1) end tell END) expect -c " spawn fdesetup add -usertoadd $userName expect "Enter the primary user name:" send ${adminName} expect "Enter the password for the user '$adminName':" send ${adminPass} expect "Enter the password for the added user '$userName':" send ${userPass} expect" fdeList=fdesetup list | grep $userName if [[ "$fdeList" == "$userName" ]] ; then echo "$userName Added successfully" dialog="$userName Added successfully" cmd="Tell app "System Events" to display dialog "$dialog"" /usr/bin/osascript -e "$cmd" exit 0 else echo "Adding $userName to FV2 Failed" dialog="Adding $userName to FV2 Failed" cmd="Tell app "System Events" to display dialog "$dialog"" /usr/bin/osascript -e "$cmd" exit 1 fi

Found a fix! If you are using FileVault you need to enable the user access to it. Go to Security & Policy>FileVault and enable to mobile account to FileVault. This will allow the user to login with their own account

I having this issue too. After a total shutdown, AD account refused to accept the password until it logged into a local account. I did checked the Security & Policy which have already enable via the securetoken upon creating the account. I do have a work around which is choose the AD account and enter the FV recovery key. After that it will ask you for your network account password again than the issue resolved. It wont refuse the AD password anymore. But i will like to check if anyone have a better solution than giving the FV recovery keys to users.

This script was shared with me and allows to pass the SecureToken from a local user to the mobile.

#!/bin/bash

###
#
#            Name:  add-securetoken-to-logged-in-user.sh
#     Description:  Adds SecureToken to currently logged-in user, allowing that
#                   user to unlock FileVault in macOS High Sierra. Uses
#                   credentials from a GUI-created admin account $guiAdmin
#                   (retrieves from a manually-created System keychain entry),
#                   and prompts for current user's password.
#                   https://github.com/mpanighetti/add-securetoken-to-logged-in-user
#          Author:  Mario Panighetti
#         Created:  2017-10-04
#   Last Modified:  2017-10-04
#         Version:  1.0
#
###

###
#
#       Changed by: jjourney 10/6/2017
#          changes: Changed password prompt / check to match the code in 
#                   Elliot Jordan <elliot@elliotjordan.com> FileVault key upload script
#                   https://github.com/homebysix/jss-filevault-reissue
#                   Set the guiAdmin
#
###

###
#
#       Changed by: jjourney 2/2018
#          changes: Code re-arranged for better logic due to changes
#                   Updated secureToken code because it now(?) requires auth or interactive
#                   Adds user to filevault
#                   Run "sudo diskutil apfs updatePreboot /" at the end 
#
###

###
#
#       Changed by: jjourney 08/2018
#          changes: guiAdmin now gives you the current users that already have secureToken
#                   via diskutil apfs listUsers /
#                   Removed jamfhelper and applescript confusion
#                   Added all osascript functions, should be easier to read
#                   Can now be used for both HFS / APFS 
#
###

###
#
#       Changed by: jjourney 11/2018
#          changes: changed how to get cryptousers and processing the GUIDs
#                   accounts for users over 8 char and some 10.14(?) issues
#
###

###
#
#            Setup: Fill in relevant IT + FORGOT_PW_MESSAGE
#                   Only jamf relevant piece is line 446, calls a policy to make current user admin, jamf not necessary
#
###

# applescript
#
# template:
########### Title - "$2" ############
#                                   #
#     Text to display - "$1"        #
#                                   #
#      [Default response - "$5"]    #
#                                   #
#               (B1 "$3") (B2 "$4") # <- Button 2 default
#####################################

function simpleInput() {
osascript <<EOT
tell app "System Events" 
with timeout of 86400 seconds
text returned of (display dialog "$1" default answer "$5" buttons {"$3", "$4"} default button 2 with title "$2")
end timeout
end tell
EOT
}

function hiddenInput() {
osascript <<EOT
tell app "System Events" 
with timeout of 86400 seconds
text returned of (display dialog "$1" with hidden answer default answer "" buttons {"$3", "$4"} default button 2 with title "$2")
end timeout
end tell
EOT
}

function hiddenInputNoCancel() {
osascript <<EOT
tell app "System Events" 
with timeout of 86400 seconds
text returned of (display dialog "$1" with hidden answer default answer "" buttons {"$3"} default button 1 with title "$2")
end timeout
end tell
EOT
}

function OneButtonInfoBox() {
osascript <<EOT
tell app "System Events"
with timeout of 86400 seconds
button returned of (display dialog "$1" buttons {"$3"} default button 1 with title "$2")
end timeout
end tell
EOT
}

function TwoButtonInfoBox() {
osascript <<EOT
tell app "System Events"
with timeout of 86400 seconds
button returned of (display dialog "$1" buttons {"$3", "$4"} default button 2 with title "$2")
end timeout
end tell
EOT
}

function listChoice() {
osascript <<EOT
tell app "System Events"
with timeout of 86400 seconds
choose from list every paragraph of "$5" with title "$2" with prompt "$1" OK button name "$4" cancel button name "$3"
end timeout
end tell
EOT
}

########## variables ##########
# you can edit these
PROMPT_TITLE="Password Needed For FileVault"
IT=""
FORGOT_PW_MESSAGE="You made five incorrect password attempts.
Please contact $IT."
adminfix="" 

# leave these values as-is
loggedInUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')
loggedInUserFull=$(id -F $loggedInUser)
jamfBin="/usr/local/jamf/bin/jamf"

########## function-ing ##########
# get password for admin that has secure token
getPassword_guiAdminAPFS () {
    allusers=()
    # already got the $cryptousers
    for GUID in $cryptousers
    do
        usercheck=$(sudo dscl . -search /Users GeneratedUID $GUID 
        | awk 'NR == 1' 
        | awk '{print $1}')
        if [[ ! -z $usercheck ]]; then
            echo $usercheck
            allusers+=($usercheck)
        fi
    done
    # make it nice for applescript
    for item in $allusers
    do
        arrayChoice+=$"${item}
"
    done
    arrayChoice=$(echo $arrayChoice |sed 's/..$//')

    # Let's-a go!
    guiAdmin="$(listChoice 
        "Please select a user with secure token that you know the password to:" 
        "Select SecureToken User" 
        "Cancel" 
        "OK" 
        $arrayChoice)"
    if [[ "$guiAdmin" =~ "false" ]]; then
        echo "Cancelled by user"
        exit 0
    fi
    # Get the $guiAdmin password via a prompt.
    echo "Prompting $guiAdminPass for their Mac password..."
    guiAdminPass="$(hiddenInputNoCancel 
        "Please enter the password for $guiAdmin:" 
        "$PROMPT_TITLE" 
        "OK")"

    # Thanks to James Barclay (@futureimperfect) for this password validation loop.
    TRY=1
    until /usr/bin/dscl /Search -authonly "$guiAdmin" "$guiAdminPass" &>/dev/null; do
        (( TRY++ ))
        echo "Prompting $guiAdmin for their Mac password (attempt $TRY)..."
        guiAdminPass="$(hiddenInput 
            "Sorry, that password was incorrect. Please try again:" 
            "$PROMPT_TITLE" 
            "Cancel" 
            "OK" )"
            if [[ "$guiAdminPass" =~ "false" ]] || [[ -z "$guiAdminPass" ]]; then
                exit 0
            fi
        if (( TRY >= 5 )); then
            echo "[ERROR] Password prompt unsuccessful after 5 attempts. Displaying "forgot password" message..."
            OneButtonInfoBox 
                "$FORGOT_PW_MESSAGE" 
                "$PROMPT_TITLE" 
                "OK" &
            exit 1
        fi
    done
    echo "Successfully prompted for $guiAdmin password."
}
getPassword_guiAdminHFS () {
    arrayChoice=()
    # already got the $cryptousers
    fvusers=$(fdesetup list |awk -F, '{print $1}')
    for users in $fvusers
    do
        arrayChoice+=$"${users}
"
    done
    # make it nice for applescript
    arrayChoice=$(echo $arrayChoice |sed 's/..$//')

    # Let's-a go!
    guiAdmin="$(listChoice 
        "Please select a user account with that you know the password to:" 
        "Select Existing Filevault User" 
        "Cancel" 
        "OK" 
        $arrayChoice)"
    if [[ "$guiAdmin" =~ "false" ]]; then
        echo "Cancelled by user"
        exit 0
    fi
    # Get the $guiAdmin password via a prompt.
    echo "Prompting for $guiAdminPass Mac password..."
    guiAdminPass="$(hiddenInputNoCancel 
        "Please enter the password for $guiAdmin:" 
        "$PROMPT_TITLE" 
        "OK")"

    # Thanks to James Barclay (@futureimperfect) for this password validation loop.
    TRY=1
    until /usr/bin/dscl /Search -authonly "$guiAdmin" "$guiAdminPass" &>/dev/null; do
        (( TRY++ ))
        echo "Prompting for $guiAdmin Mac password (attempt $TRY)..."
        guiAdminPass="$(hiddenInput 
            "Sorry, that password was incorrect. Please try again:" 
            "$PROMPT_TITLE" 
            "Cancel" 
            "OK" )"
            if [[ "$guiAdminPass" =~ "false" ]] || [[ -z "$guiAdminPass" ]]; then
                exit 0
            fi
        if (( TRY >= 5 )); then
            echo "[ERROR] Password prompt unsuccessful after 5 attempts. Displaying "forgot password" message..."
            OneButtonInfoBox 
                "$FORGOT_PW_MESSAGE" 
                "$PROMPT_TITLE" 
                "OK" &
            exit 1
        fi
    done
    echo "Successfully prompted for $guiAdmin password."
}
# get password for currently logged on user
getPassword_loggedInUser () {
    # Get the logged in user's password via a prompt.
    echo "Prompting $loggedInUser for their Mac password..."
    loggedInUserPass="$(hiddenInputNoCancel 
        "Please enter the password for $loggedInUserFull, the one used to log in to this Mac:" 
        "Password needed for Filevault" 
        "OK")"
    # Thanks to James Barclay (@futureimperfect) for this password validation loop.
    TRY=1
    until /usr/bin/dscl /Search -authonly "$loggedInUser" "$loggedInUserPass" &>/dev/null; do
        (( TRY++ ))
        echo "Prompting $loggedInUser for their Mac password (attempt $TRY)..."
        loggedInUserPass="$(hiddenInput 
            "Sorry, that password was incorrect. Please try again:" 
            "$PROMPT_TITLE" 
            "Cancel" 
            "OK")"
            if [[ "$loggedInUserPass" =~ "false" ]] || [[ -z "$loggedInUserPass" ]]; then
                exit 0
            fi
        if (( TRY >= 5 )); then
            echo "[ERROR] Password prompt unsuccessful after 5 attempts. Displaying "forgot password" message..."
            OneButtonInfoBox 
                "$FORGOT_PW_MESSAGE" 
                "$PROMPT_TITLE" 
                "OK" &
            exit 1
        fi
    done
    echo "Successfully prompted for $loggedInUser password."
}
# add SecureToken to $loggedInUser account to allow FileVault access
securetoken_add () {
    sudo sysadminctl 
        -adminUser "$guiAdmin" 
        -adminPassword "$guiAdminPass" 
        -secureTokenOn "$loggedInUser" 
        -password "$loggedInUserPass"
}
# Make sure user has secure token
securetoken_double_check () {
    secureTokenCheck=$(sudo sysadminctl -adminUser $guiAdmin -adminPassword $guiAdminPass -secureTokenStatus "$loggedInUser" 2>&1)
    if [[ "$secureTokenCheck" =~ "DISABLED" ]]; then
        echo "❌ ERROR: Failed to add SecureToken to $loggedInUser for FileVault access."
        echo "Displaying "failure" message..."
        OneButtonInfoBox 
            "Failed to set SecureToken for $loggedInUser. Status is $secureTokenCheck. Please contact $IT." 
            "Failure" 
            "OK" &
        exit 1
    elif [[ "$secureTokenCheck" =~ "ENABLED" ]]; then
        securetoken_success
    else
        echo "???unknown error???"
        exit 3
    fi
}
# display success message
securetoken_success () {
    echo "✅ Verified SecureToken is enabled for $loggedInUser."
    echo "Displaying "success" message..."
    OneButtonInfoBox 
        "SecureToken is now set to 'Enabled' for $loggedInUser." 
        "Success!" 
        "OK"
}
# add user to filevault APFS
adduser_filevaultAPFS () {
    echo "Checking Filevault status for $loggedInUser"
    filevault_list=$(sudo fdesetup list 2>&1)
    if [[ ! "$filevault_list" =~ "$loggedInUser" ]]; then
        echo "User not found, adding"
        # create the plist file:
        echo '<?xml version="1.0" encoding="UTF-8"?>
            <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
            <plist version="1.0">
            <dict>
            <key>Username</key>
            <string>'$guiAdmin'</string>
            <key>Password</key>
            <string>'$guiAdminPass'</string>
            <key>AdditionalUsers</key>
            <array>
                <dict>
                    <key>Username</key>
                    <string>'$loggedInUser'</string>
                    <key>Password</key>
                    <string>'$loggedInUserPass'</string>
                </dict>
            </array>
            </dict>
            </plist>' > /tmp/fvenable.plist 

        # now enable FileVault
        fdesetup add -inputplist < /tmp/fvenable.plist
        rm -rf /tmp/fvenable.plist

        filevault_list=$(sudo fdesetup list 2>&1)
        if [[ ! "$filevault_list" =~ "$loggedInUser" ]]; then
            echo "Error adding user!"
            OneButtonInfoBox 
                "Failed to add $loggedInUserFull to filevault. Please try to add manually." 
                "Failed to add" 
                "OK" &
        elif [[ "$filevault_list" =~ "$loggedInUser" ]]; then
            echo "Success adding user!"
            OneButtonInfoBox 
                "Succeeded in adding $loggedInUserFull to filevault." 
                "Success!" 
                "OK" &
        fi
    elif [[ "$filevault_list" =~ "$loggedInUser" ]]; then
        echo "Success adding user!"
        OneButtonInfoBox 
            "$loggedInUserFull is a filevault enabled user." 
            "Success!" 
            "OK" &
    fi

    # run updatePreboot to show user
    sudo diskutil apfs updatePreboot /
}
# add user to filevault HFS+
adduser_filevaultHFS () {
    echo "Checking Filevault status for $loggedInUser"
    filevault_list=$(sudo fdesetup list 2>&1)
    if [[ ! "$filevault_list" =~ "$loggedInUser" ]]; then
        echo "User not found, adding"
        # create the plist file:
        echo '<?xml version="1.0" encoding="UTF-8"?>
            <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
            <plist version="1.0">
            <dict>
            <key>Username</key>
            <string>'$guiAdmin'</string>
            <key>Password</key>
            <string>'$guiAdminPass'</string>
            <key>AdditionalUsers</key>
            <array>
                <dict>
                    <key>Username</key>
                    <string>'$loggedInUser'</string>
                    <key>Password</key>
                    <string>'$loggedInUserPass'</string>
                </dict>
            </array>
            </dict>
            </plist>' > /tmp/fvenable.plist 

        # now enable FileVault
        fdesetup add -inputplist < /tmp/fvenable.plist
        rm -rf /tmp/fvenable.plist

        filevault_list=$(sudo fdesetup list 2>&1)
        if [[ ! "$filevault_list" =~ "$loggedInUser" ]]; then
            echo "Error adding user!"
            OneButtonInfoBox 
                "Failed to add $loggedInUserFull to filevault. Please try to add manually." 
                "Failed to add" 
                "OK" &
            elif [[ "$filevault_list" =~ "$loggedInUser" ]]; then
            echo "Success adding user!"
            OneButtonInfoBox 
                "Succeeded in adding $loggedInUserFull to filevault." 
                "Success!" 
                "OK" &
        fi
        elif [[ "$filevault_list" =~ "$loggedInUser" ]]; then
        echo "Success adding user!"
        OneButtonInfoBox 
            "$loggedInUserFull is a filevault enabled user." 
            "Success!" 
            "OK" &
    fi
}

# make sure user is admin
# assumes it's bound to AD
$jamfBin policy -event $adminfix

########## main process ##########
cryptousers=$(diskutil apfs listusers / |awk '/+--/ {print $NF}')

OneButtonInfoBox 
    "If there is not an account on the next screen that you know the password to, please contact $IT for assistance." 
    "Warning" 
    "OK"

# check if actually apfs disk or not
if [[ -z "$cryptousers" ]]; then
    getPassword_guiAdminHFS
    getPassword_loggedInUser
    adduser_filevaultHFS
    unset loggedInUserPass
    unset guiAdminPass
else
    getPassword_guiAdminAPFS
    getPassword_loggedInUser

    secureTokenCheck=$(sudo sysadminctl -adminUser $guiAdmin -adminPassword $guiAdminPass -secureTokenStatus "$loggedInUser" 2>&1)

    # add SecureToken to $loggedInUser if missing
    if [[ "$secureTokenCheck" =~ "DISABLED" ]]; then
        securetoken_add
        securetoken_double_check
        adduser_filevaultAPFS
        elif [[ "$secureTokenCheck" =~ "ENABLED" ]]; then
            securetoken_success
            adduser_filevaultAPFS
        else
            echo "Error with sysadminctl"
            OneButtonInfoBox 
                "Failure to run. Please contact $IT" 
                "Failure" 
                "OK" &
    fi

    # Clear password variable.
    unset loggedInUserPass
    unset guiAdminPass
fi
exit 0

I've had the same issue with most of my new JAMF enrollments, FileVault's been problematic to enable, but I figured out if I login as the admin and back out, it does enable. Then the former AD user cannot login to the FileVault login window. So, what I've been doing is similar to DustinB, is to remove the local user record, and have them re-login, and then re-add them to FileVault. It's a painful process. The basic command is: /usr/bin/dscl . -delete "/Users/$user" but I have a script that allows you to choose which user record to delete. This keeps the User folder, but removes the record. Then I have the user login via OneLogin and add them to back to FileVault.

Anyone feel good about any of the solutions above? My list of users having this issue is slowly mounting and the current work around (logging into another local account, getting on the VPN, switching user with AD pw) is not ideal for my users. Been kicking the can down the road waiting for a magical fix. Is there any consensus on the best route to take? Of course we are all working remotely.

Had the same issue after I had changed my domain password. I already had FileVault enabled and account was an authorized user, same as initial poster.

Issue was easily resolved taking 3 steps from this article (only tip is to check your device name from Disk Utility for step 2):

https://community.jamf.com/t5/jamf-pro/a-reliable-fix-for-filevault-2-password-sync-issue/m-p/234241

Hello! I just got a Mac computer for a user in my office, as the user requested, and this is the only Mac in my network. I bound it to my AD quite easily, but now I meet the same problem as users above: I can log in with an AD account only if I log in with the local admin account first. If I try to log in directly with an AD account after starting the MAC or if I reboot it, it won't work. As people say, it seems that's a problem with FileVault, but the policy in my company is to encrypt computers so I had to activate it. I've seen scripts up above but I'm not used to working with Mac computers so I don't really know what to do with that. Please if there's a solution to this problem, could someone explain it to me step by step as if I was 6 (both because I'm a newbie with Mac environment, and because English is not my native language). Thank you very much!

Scenario: Users trying to log in to a Mac computer using their Active Directory (AD) credentials with intermittent success.

Environment: Organization with 3 replicating Active Directory servers including one Azure AD.

Temporary solution: unjoin computer from AD and rejoin again

Possible solution:

1. In Directory Utility, tick on Prefer this domain and enter the name of the AD server closest to you (on site)
2. Optional: Tick create mobile account at login and untick require confirmation
3. Add the closest AD server IP address in the hosts file (they're in **/private/etc/hosts**)

Steps 1 & 2 can be mass-deployed using a profile created using Profile Creator.