Help

Unable to start FileVault

TheCookieMonsta
New Contributor

2 weeks ago

I have an asset that was auto-enroll via JAMF connect. However, the asset did not do the filevault encryption eventho the policy is there. I opened up a ticket with the to resolve the problem ont he new devices. However, I still have a few devices lingering with filevault not enable.

I just tried to manually enable one of these assets and then cycle the key. However, it is not letting me.

when I tried with my account. it doesnt take my password or the admin password. if I do it under, a users account it asks for the admin password and the same thing it doenst look like it takes.

This is on a M2 with Ventura (13.6.5)

I know this has to do with the security token not being enable for the account. Not sure how to fix this. any help greatly appreciated.

 

0 Kudos
3 REPLIES 3

AJPinto
Honored Contributor III

2 weeks ago

Even though this is not likely related, your 1st step needs to get that device up to 14.5. Running N-1 and N-2 builds of macOS is never a good idea.

 

The only way to get a Secure Token, is from an account that has a Secure Token. However, and admin logging in to macOS interactively should receive a Secure Token automatically. You can script the granting of a Secure Token if you know the username AND password of an account with a Secure Token. Though, scripting passwords is very insecure.

 

For enabling FileVault, don't have Jamf Connect do it. You need to be enabling FileVault with a Configuration Profile from Jamf Pro (or another MDM), this won't resolve any Secure Token issues, but it will make other things work better.

 

 

 

 

0 Kudos

easyedc
Valued Contributor II

a week ago

Have you checked if you have a Bootstrap Token? If so that would enable you to generate the Secure Token.  Apple has some documentation here

 If not granted a secure token at time of creation, in macOS 11 or later, a local user logging in to a Mac computer is granted a secure token during login if a bootstrap token is available from the MDM solution. Use sysadminctl -h for additional usage instructions.

  You can do a quick check on Bootstrap Token status, which will help you get a Secure Token, by running some commands. 

sudo profiles status -type bootstraptoken
sudo profiles validate -type bootstraptoken


sudo profiles install -type bootstraptoken

And if all else fails, wipe and reload.

0 Kudos

easyedc
Valued Contributor II
In response to easyedc

a week ago

Jamf should have a line entry for your Mac if Bootstrap Token is escrowed (Inventory Tab > Security). I also have an EA running to check which users have a Secure Token

#!/bin/sh

#  Secure Token Enabled Users.sh
#  
#
#  Created by Ed C on 7/13/21.
#  
AllUsers=$(dscl . list /Users | grep -v _)

for EachUser in $AllUsers; do

TokenValue=$(sysadminctl -secureTokenStatus $EachUser 2>&1)

echo "Checking $EachUser"
    if [[ $TokenValue = *"ENABLED"* ]]; then
    SecureTokenUsers+=($EachUser)
    fi
done

    if [[ -z "${SecureTokenUsers[@]}" ]]; then
        echo "<result>No Users</result>"
        else
        printf '%s,' '<result>'"${SecureTokenUsers[@]}"'</result>'
    fi
    
exit
0 Kudos