Mac running build 10.13.x fails to initiate FileVault2 setup and encryption when using Centrify Group Policy, but does work for builds earlier than this.Cause:
As part of Apple File System’s FileVault2 encryption on macOS High Sierra, Apple introduced "Secure Token." This is a new attribute, and is required to be added to a user account before that account can be enabled for FileVault2 on an encrypted Apple File System (APFS) volume.
By default, the first account that logs into a new Mac, will automatically be assigned a Secure Token. Subsequent users created on the Mac will also be assigned the token, provided they are created using a local Administrator with a secureToken as well. Note that the root account does not have the secureToken. This means that using Centrify MDM with a Local Account Password Manager (LAPM) policy will not
create an Administrator with the token. Additionally, Network users (with a mobile account) will also not have a secureToken either.
Because of this;
1. Network Users will not be able to initiate FileVault2 encryption using Group policy
2. Administrator may not be able to add a Network Mobile account as a FileVault2 unlocker account
*Note that a migrated account will also not have a secureToken, because this is a Network user that has taken over ownership of the previously created local account Home folder using a CHOWN process. Workaround:Group Policy does not take effect and FileVault2 is not initiated automatically:
In order to bypass this issue, the Network Mobile account will need to be assigned a secureToken before they can initiate FIleVault encryption via Group policy.
To do this;
1. First verify the Local Administrator account that will be used to do this, has a secureToken. This can be checked by logging in as the local administrator and using the following command:
sysadminctl interactive -secureTokenStatus <username_goes_here>
2. If the results are 'Secure token is ENABLED for user <username_goes_here> ', then this account can be used to grant a secureToken for the Network Mobile account. If the results are 'Secure token is DISABLED for user <username_goes_here>', then the initial Administrator account that was used when the Mac was first set up should login and retry.
3. Next, the Network Mobile account (user in Group policy listed as Managedby user) will need a secureToken. To do this, the above local administrator should login and run the following command;
sysadminctl interactive -secureTokenOn <username_which_needs_secure_token_goes_here> -password -
4. Next, confirm that the Network mobile account now has a token by running the command in step 1 again, but with the Network Mobile account user instead. If ENABLED is shown, the User can now log off and back in (sometimes a few times) to initiate FIleVault2 Encryption.
FIleVault2 is enabled, but Administrator cannot add a Network Mobile account to the Unlocker list:
FIleVault2 prompt to initiate is seen for Mac enrolled in Centrify Admin portal, but fails to initiate after Network Mobile user enters password:
If the Mac has FileVault2 enabled, and an Administrator is not able to add a Network Mobile account to the Unlocker list, the following is needed.
1. Login using a Local Admin account (not a Network Admin that is mapped to the Local Admin group UNLESS this Administrator has a secureToken. See steps above under step 1 of "Group Policy does not take effect and FileVault2 is not initiated automatically:"
2. Browse to System Preferences>Security & Privacy>FileVault and click the lock to unlock.
3. The button that indicates that "Some users are not able to unlock the disk" option. The Network Mobile account should be listed here. Click the option to "Enable User", and when prompted, ask the User to add their password.
This can also be done by using the steps in "Group Policy does not take effect and FileVault2 is not initiated automatically
:" above, step 3.
1. Steps for "Group Policy does not take effect and FileVault2 is not initiated automatically:" should be used to modify the Network Mobile Account to have a token. Then, when the user logs out, the prompt will be seen again and will ask for password. Enter the user password and FileVault2 will be initiated.
Currently, the workaround is the only solution. Centrify will continue to evaluate other approaches to help automate this process.