Unable to start FileVault

TheCookieMonsta
New Contributor II

I have an asset that was auto-enroll via JAMF connect. However, the asset did not do the filevault encryption eventho the policy is there. I opened up a ticket with the to resolve the problem ont he new devices. However, I still have a few devices lingering with filevault not enable.

I just tried to manually enable one of these assets and then cycle the key. However, it is not letting me.

when I tried with my account. it doesnt take my password or the admin password. if I do it under, a users account it asks for the admin password and the same thing it doenst look like it takes.

This is on a M2 with Ventura (13.6.5)

I know this has to do with the security token not being enable for the account. Not sure how to fix this. any help greatly appreciated.

 

3 REPLIES 3

AJPinto
Honored Contributor III

Even though this is not likely related, your 1st step needs to get that device up to 14.5. Running N-1 and N-2 builds of macOS is never a good idea.

 

The only way to get a Secure Token, is from an account that has a Secure Token. However, and admin logging in to macOS interactively should receive a Secure Token automatically. You can script the granting of a Secure Token if you know the username AND password of an account with a Secure Token. Though, scripting passwords is very insecure.

 

For enabling FileVault, don't have Jamf Connect do it. You need to be enabling FileVault with a Configuration Profile from Jamf Pro (or another MDM), this won't resolve any Secure Token issues, but it will make other things work better.

 

 

 

 

easyedc
Valued Contributor II

Have you checked if you have a Bootstrap Token? If so that would enable you to generate the Secure Token.  Apple has some documentation here

 If not granted a secure token at time of creation, in macOS 11 or later, a local user logging in to a Mac computer is granted a secure token during login if a bootstrap token is available from the MDM solution. Use sysadminctl -h for additional usage instructions.

  You can do a quick check on Bootstrap Token status, which will help you get a Secure Token, by running some commands. 

sudo profiles status -type bootstraptoken
sudo profiles validate -type bootstraptoken


sudo profiles install -type bootstraptoken

And if all else fails, wipe and reload.

easyedc
Valued Contributor II

Jamf should have a line entry for your Mac if Bootstrap Token is escrowed (Inventory Tab > Security). I also have an EA running to check which users have a Secure Token

#!/bin/sh

#  Secure Token Enabled Users.sh
#  
#
#  Created by Ed C on 7/13/21.
#  
AllUsers=$(dscl . list /Users | grep -v _)

for EachUser in $AllUsers; do

TokenValue=$(sysadminctl -secureTokenStatus $EachUser 2>&1)

echo "Checking $EachUser"
    if [[ $TokenValue = *"ENABLED"* ]]; then
    SecureTokenUsers+=($EachUser)
    fi
done

    if [[ -z "${SecureTokenUsers[@]}" ]]; then
        echo "<result>No Users</result>"
        else
        printf '%s,' '<result>'"${SecureTokenUsers[@]}"'</result>'
    fi
    
exit