This week I have been running a macOS 10.13 Support Essentials Course. As part of the course, we cover security features of macOS and in particular FileVault. Now during the exercise for this lesson I came across an issue which did not allow us to setup FileVault.
Below is the error:
To put the device setup into context, we had 8 MacBook Pro (13” Mid 2012) and a lonely MacBook Pro (13” Late 2011) these were all imaged using DeployStudio and the same image – an image which has also been used on numerous occasions with no issue.
Now, this error message appeared on only six of the devices including the Late 2011 Mac. Naturally, I researched this error message and found Apple Support Article HT208171. According to the article, this error is due to using Mobile Accounts which is amusing considering we were not using a Directory Service. The resolution to this error was login as another admin and turn on FileVault. Unfortunately, I was the only Admin on the device.
Now for the resolution!
In 10.13 FileVault authentication for FileVault encrypted volumes requires a user to have a secure token. This Secure Token should be added to the first Admin account created during the Setup Assistant which unfortunately was the account I was using. I remembered reading an Article by Rich Trouton on his derflounder blog about this new system for FileVault authentication.
Using the sysadminctl command I checked whether the securetoken was applied to my setup assistant created Admin account.
sysadminctl interactive -secureTokenStatus username
The Local admin had the secure token disabled. I attempted to enable it using the below command:
sysadminctl interactive -secureTokenOn username -password password
This gave me the below error:
2018-03-20 17:25:08.036 sysadminctl[8666:724459] ### Error:-14090 File:/BuildRoot/Library/Caches/com.apple.xbs/Sources/Admin/Admin-674/DSAuthenticator.m Line:94 2018-03-20 17:25:08.037 sysadminctl[8666:724459] ---------------------------- 2018-03-20 17:25:08.037 sysadminctl[8666:724459] No clear text password or interactive option was specified (adduser, change/reset password will not allow user to use FDE) ! 2018-03-20 17:25:08.037 sysadminctl[8666:724459] ---------------------------- 2018-03-20 17:25:08.037 sysadminctl[8666:724459] Operation is not permitted without secure token unlock.
I decided to check if any of the standard users had the securetoken enabled and low and behold one of them did. Using System Preferences > Users & Groups I made the user an admin
Upon restart this allowed me to enable FileVault and eventually continue the course! Once I had an admin with the securetoken it allowed me to also enable the securetoken for other users.
How this actually occurred is an oddity but hopefully this will help resolve the issue for others in the future.
If you’re an IT Professional supporting Macs in your business or educational establishment, then have a look at our training options. macOS support Essentials is the Apple Certified course for supporting your users.