- Jamf Nation Community
- Products
- Jamf Pro
- Unable to start FileVault
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Unable to start FileVault
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-20-2024 09:59 AM
I have an asset that was auto-enroll via JAMF connect. However, the asset did not do the filevault encryption eventho the policy is there. I opened up a ticket with the to resolve the problem ont he new devices. However, I still have a few devices lingering with filevault not enable.
I just tried to manually enable one of these assets and then cycle the key. However, it is not letting me.
when I tried with my account. it doesnt take my password or the admin password. if I do it under, a users account it asks for the admin password and the same thing it doenst look like it takes.
This is on a M2 with Ventura (13.6.5)
I know this has to do with the security token not being enable for the account. Not sure how to fix this. any help greatly appreciated.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-20-2024 11:50 AM
Even though this is not likely related, your 1st step needs to get that device up to 14.5. Running N-1 and N-2 builds of macOS is never a good idea.
The only way to get a Secure Token, is from an account that has a Secure Token. However, and admin logging in to macOS interactively should receive a Secure Token automatically. You can script the granting of a Secure Token if you know the username AND password of an account with a Secure Token. Though, scripting passwords is very insecure.
For enabling FileVault, don't have Jamf Connect do it. You need to be enabling FileVault with a Configuration Profile from Jamf Pro (or another MDM), this won't resolve any Secure Token issues, but it will make other things work better.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-24-2024 06:14 AM
Have you checked if you have a Bootstrap Token? If so that would enable you to generate the Secure Token. Apple has some documentation here.
If not granted a secure token at time of creation, in macOS 11 or later, a local user logging in to a Mac computer is granted a secure token during login if a bootstrap token is available from the MDM solution. Use sysadminctl -h for additional usage instructions.You can do a quick check on Bootstrap Token status, which will help you get a Secure Token, by running some commands.
sudo profiles status -type bootstraptoken
sudo profiles validate -type bootstraptoken
sudo profiles install -type bootstraptokenAnd if all else fails, wipe and reload.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-24-2024 06:19 AM
Jamf should have a line entry for your Mac if Bootstrap Token is escrowed (Inventory Tab > Security). I also have an EA running to check which users have a Secure Token
#!/bin/sh
# Secure Token Enabled Users.sh
#
#
# Created by Ed C on 7/13/21.
#
AllUsers=$(dscl . list /Users | grep -v _)
for EachUser in $AllUsers; do
TokenValue=$(sysadminctl -secureTokenStatus $EachUser 2>&1)
echo "Checking $EachUser"
if [[ $TokenValue = *"ENABLED"* ]]; then
SecureTokenUsers+=($EachUser)
fi
done
if [[ -z "${SecureTokenUsers[@]}" ]]; then
echo "<result>No Users</result>"
else
printf '%s,' '<result>'"${SecureTokenUsers[@]}"'</result>'
fi
exit