Users added to File Vault but don't show up to unlock it.

jalcorn
Contributor II

AD Users.

So i have seen this issue on a few of my machines. Were the user is authorized to unlock the machine from file vault but on restart only the local admin is showing up.

Turning File Vault off and back on, on the user i want to be able to get in does work. But thats like a day process.

Anyone else have any thoughts?

1 ACCEPTED SOLUTION

jalcorn
Contributor II

ok, figured it out. By looking at a lot of other forms. Mostly this one below

https://www.jamf.com/jamf-nation/discussions/25692/high-sierra-10-13-encrypted-users-not-showing-at-filevault-login-screen

I needed to do the following to make it work with an AD account.

  • first i ran sudo sysadminctl -secureTokenStatus [username] to make sure it was coming back as disabled.

Then i ran
sudo rm /var/db/.AppleSetupDone

Restart the computer. This gave me an admin with a secure token. With that i ran

sysadminctl -adminUser "$GUIAdmin" -adminPassword "$GUIAdminPw" -secureTokenOn "$username" -password "$user_password"

In this context, $username (and their password $user_password) is the user you want to provide a secure token to. The $GUIAdmin is an administrator that was created either via a DEP workflow or through the GUI. As has been explained to me, in order to provide a secure token to a user, the account you’re doing this from needs to have a secure token as well.

Thanks to babodee for the above

After that i restarted the mac and it didn't see the AD user. Even though now the user had the token and was no longer showing up as someone who couldn't unlock file vault.

Then with what @koalatee gave me i ran

sudo diskutil apfs updatePreboot /

and we were up and running.

View solution in original post

15 REPLIES 15

jelagin
New Contributor

We had the same issue on a machine that was upgraded to High Sierra. I know this sounds odd, but we discovered that changing the user's account icon then rebooting did the trick.

koalatee
Contributor II

Saw this on macadmins.slack.com yesterday:

sudo diskutil apfs updatePreboot /

Resolved the issue for someone there.

jalcorn
Contributor II

ok, figured it out. By looking at a lot of other forms. Mostly this one below

https://www.jamf.com/jamf-nation/discussions/25692/high-sierra-10-13-encrypted-users-not-showing-at-filevault-login-screen

I needed to do the following to make it work with an AD account.

  • first i ran sudo sysadminctl -secureTokenStatus [username] to make sure it was coming back as disabled.

Then i ran
sudo rm /var/db/.AppleSetupDone

Restart the computer. This gave me an admin with a secure token. With that i ran

sysadminctl -adminUser "$GUIAdmin" -adminPassword "$GUIAdminPw" -secureTokenOn "$username" -password "$user_password"

In this context, $username (and their password $user_password) is the user you want to provide a secure token to. The $GUIAdmin is an administrator that was created either via a DEP workflow or through the GUI. As has been explained to me, in order to provide a secure token to a user, the account you’re doing this from needs to have a secure token as well.

Thanks to babodee for the above

After that i restarted the mac and it didn't see the AD user. Even though now the user had the token and was no longer showing up as someone who couldn't unlock file vault.

Then with what @koalatee gave me i ran

sudo diskutil apfs updatePreboot /

and we were up and running.

stelteritadmin
New Contributor

Issue still resides in OS 10.13.2. Confirmed that changing the user image and restarting corrected the issue for us.

LeeGibson
New Contributor III

@stelteritadmin I tried many of the above steps to fix this issue on 10.13.3, your suggestion worked perfectly. I had the AD users select image for their account... done!

koalatee
Contributor II

btw I finagled/updated @mario 's script and you can run it straight from Self Service. You input the existing secure token username/password, the logged in user's password, and then it enables secureToken, runs the updatePreboot, and adds to Filevault.

High Sierra User Setup

Jconary82
New Contributor II

Confirming that selecting a account image works. Now the question is, can I enforce a default profile pic for all new users? I've never thought to look into it but this crazy solution has me thinking.

Pacers31Colts18
New Contributor

I just tested the account image and that fixes it. Anyone know of a way to push out a default profile picture? I can only find out how to do it when setting up a new admin account.

darthmaverick
New Contributor III

Is it only one of the default account images? On 10.13.4 and have a user that already has a custom icon, but we are in the same boat.

rshelton
New Contributor

@jalcorn worked like a charm! Thank you for figuring this out!!

donmontalvo
Esteemed Contributor III

We have a ticket with Apple, where if the first account created on the computer has a Secure Token, but if you hide the account, it breaks Secure Token. Unhiding the account fixes the problem. Apple is checking if hiding a Secure Token enabled account is supposed to break Secure Token for that user.

--
https://donmontalvo.com

KrisMallory
New Contributor III

@donmontalvo How were you hiding it?

I noticed the same, by changing the UserShell to /usr/bin/false. Though I hadn't tried unhiding it to see if it's status was restored.

I'm still at a loss for an automated workflow to enable one standard account for filevault use only on 10.14. The best we could do so far was turn on GUI account creation, force a reboot at login with a start up script, then log into the standard account that JAMF created, run the self service policy to prompt the user for the passwords so that gui admin account can grant a token and enable filevault. Then restart again and run another policy that removes the SecureTokenGrantingAccount from Filevault and then change the shells to false for both that account to the FileVaultUnlock Account.

We need an automated way for the JSS Service Account to be granted a token while still keeping it's password random and unknown to all users and techs.

solutionscubed
New Contributor II

Thanks @koalatee the updating of the Preboot worked great. Do you think there is any harm in doing this site wide va shell on all my FileVault computers? I have a localadmin account that does not show up on most vaulted computers despite my UserPolicy change that should have made that happen.

koalatee
Contributor II

Nope, no harm. It just verifies that the users that can unlock Filevault are showing up properly on the FV auth screen.

donmontalvo
Esteemed Contributor III

@KrisMallory sorry, totally missed your post. We are using Apple's newest method:

https://support.apple.com/en-us/HT203998

But we are only doing it once an approved user is FileVault 2 enabled.

The Apple ticket was to sort out if the disable when hiding part is intentional or an issue.

HTH,
Don

--
https://donmontalvo.com