Help

Users added to File Vault but don't show up to unlock it.

Go to solution
jalcorn
Contributor II

Posted on ‎11-14-2017 05:43 AM

AD Users.

So i have seen this issue on a few of my machines. Were the user is authorized to unlock the machine from file vault but on restart only the local admin is showing up.

Turning File Vault off and back on, on the user i want to be able to get in does work. But thats like a day process.

Anyone else have any thoughts?

Labels:
0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
jalcorn
Contributor II

Posted on ‎11-15-2017 10:55 AM

ok, figured it out. By looking at a lot of other forms. Mostly this one below

https://www.jamf.com/jamf-nation/discussions/25692/high-sierra-10-13-encrypted-users-not-showing-at-filevault-login-screen

I needed to do the following to make it work with an AD account.

  • first i ran sudo sysadminctl -secureTokenStatus [username] to make sure it was coming back as disabled.

Then i ran
sudo rm /var/db/.AppleSetupDone

Restart the computer. This gave me an admin with a secure token. With that i ran

sysadminctl -adminUser "$GUIAdmin" -adminPassword "$GUIAdminPw" -secureTokenOn "$username" -password "$user_password"

In this context, $username (and their password $user_password) is the user you want to provide a secure token to. The $GUIAdmin is an administrator that was created either via a DEP workflow or through the GUI. As has been explained to me, in order to provide a secure token to a user, the account you’re doing this from needs to have a secure token as well.

Thanks to babodee for the above

After that i restarted the mac and it didn't see the AD user. Even though now the user had the token and was no longer showing up as someone who couldn't unlock file vault.

Then with what @koalatee gave me i ran

sudo diskutil apfs updatePreboot /

and we were up and running.

View solution in original post

Reply
15 REPLIES 15

Go to solution
jelagin
New Contributor

Posted on ‎11-15-2017 06:59 AM

We had the same issue on a machine that was upgraded to High Sierra. I know this sounds odd, but we discovered that changing the user's account icon then rebooting did the trick.

Reply

Go to solution
koalatee
Contributor II

Posted on ‎11-15-2017 07:37 AM

Saw this on macadmins.slack.com yesterday: 

sudo diskutil apfs updatePreboot /

Resolved the issue for someone there.

Reply

Go to solution
jalcorn
Contributor II

Posted on ‎11-15-2017 10:55 AM

ok, figured it out. By looking at a lot of other forms. Mostly this one below

https://www.jamf.com/jamf-nation/discussions/25692/high-sierra-10-13-encrypted-users-not-showing-at-filevault-login-screen

I needed to do the following to make it work with an AD account.

  • first i ran sudo sysadminctl -secureTokenStatus [username] to make sure it was coming back as disabled.

Then i ran
sudo rm /var/db/.AppleSetupDone

Restart the computer. This gave me an admin with a secure token. With that i ran

sysadminctl -adminUser "$GUIAdmin" -adminPassword "$GUIAdminPw" -secureTokenOn "$username" -password "$user_password"

In this context, $username (and their password $user_password) is the user you want to provide a secure token to. The $GUIAdmin is an administrator that was created either via a DEP workflow or through the GUI. As has been explained to me, in order to provide a secure token to a user, the account you’re doing this from needs to have a secure token as well.

Thanks to babodee for the above

After that i restarted the mac and it didn't see the AD user. Even though now the user had the token and was no longer showing up as someone who couldn't unlock file vault.

Then with what @koalatee gave me i ran

sudo diskutil apfs updatePreboot /

and we were up and running.

Reply

Go to solution
stelteritadmin
New Contributor

Posted on ‎01-03-2018 06:26 AM

Issue still resides in OS 10.13.2. Confirmed that changing the user image and restarting corrected the issue for us.

Reply

Go to solution
LeeGibson
New Contributor III

Posted on ‎03-23-2018 10:37 AM

@stelteritadmin I tried many of the above steps to fix this issue on 10.13.3, your suggestion worked perfectly. I had the AD users select image for their account... done!

0 Kudos
Reply

Go to solution
koalatee
Contributor II

Posted on ‎03-23-2018 10:49 AM

btw I finagled/updated @mario 's script and you can run it straight from Self Service. You input the existing secure token username/password, the logged in user's password, and then it enables secureToken, runs the updatePreboot, and adds to Filevault.

High Sierra User Setup

Reply

Go to solution
Jconary82
New Contributor II

Posted on ‎03-26-2018 06:26 AM

Confirming that selecting a account image works. Now the question is, can I enforce a default profile pic for all new users? I've never thought to look into it but this crazy solution has me thinking.

Reply

Go to solution
Pacers31Colts18
New Contributor

Posted on ‎03-26-2018 01:29 PM

I just tested the account image and that fixes it. Anyone know of a way to push out a default profile picture? I can only find out how to do it when setting up a new admin account.

0 Kudos
Reply

Go to solution
darthmaverick
New Contributor III

Posted on ‎05-22-2018 09:52 AM

Is it only one of the default account images? On 10.13.4 and have a user that already has a custom icon, but we are in the same boat.

0 Kudos
Reply

Go to solution
rshelton
New Contributor

Posted on ‎08-23-2018 03:27 PM

@jalcorn worked like a charm! Thank you for figuring this out!!

Reply

Go to solution
donmontalvo
Esteemed Contributor III

Posted on ‎11-01-2018 07:48 AM

We have a ticket with Apple, where if the first account created on the computer has a Secure Token, but if you hide the account, it breaks Secure Token. Unhiding the account fixes the problem. Apple is checking if hiding a Secure Token enabled account is supposed to break Secure Token for that user.

--
https://donmontalvo.com
Reply

Go to solution
KrisMallory
New Contributor III

Posted on ‎11-01-2018 08:09 AM

@donmontalvo How were you hiding it?

I noticed the same, by changing the UserShell to /usr/bin/false. Though I hadn't tried unhiding it to see if it's status was restored.

I'm still at a loss for an automated workflow to enable one standard account for filevault use only on 10.14. The best we could do so far was turn on GUI account creation, force a reboot at login with a start up script, then log into the standard account that JAMF created, run the self service policy to prompt the user for the passwords so that gui admin account can grant a token and enable filevault. Then restart again and run another policy that removes the SecureTokenGrantingAccount from Filevault and then change the shells to false for both that account to the FileVaultUnlock Account.

We need an automated way for the JSS Service Account to be granted a token while still keeping it's password random and unknown to all users and techs.

Reply

Go to solution
solutionscubed
New Contributor II

Posted on ‎12-02-2019 06:48 AM

Thanks @koalatee the updating of the Preboot worked great. Do you think there is any harm in doing this site wide va shell on all my FileVault computers? I have a localadmin account that does not show up on most vaulted computers despite my UserPolicy change that should have made that happen.

0 Kudos
Reply

Go to solution
koalatee
Contributor II

Posted on ‎12-02-2019 07:16 AM

Nope, no harm. It just verifies that the users that can unlock Filevault are showing up properly on the FV auth screen.

0 Kudos
Reply

Go to solution
donmontalvo
Esteemed Contributor III

Posted on ‎12-02-2019 07:25 AM

@KrisMallory sorry, totally missed your post. We are using Apple's newest method:

https://support.apple.com/en-us/HT203998

But we are only doing it once an approved user is FileVault 2 enabled.

The Apple ticket was to sort out if the disable when hiding part is intentional or an issue.

HTH,
Don

--
https://donmontalvo.com
0 Kudos
Reply