Applies to: Centrify Identity Service, Mac Edition version 5.5.0 or above
After performing the following steps mentioned in KB for enabling Fileault2 on 10.13.x:
KB-10010: FileVault2 fails to initiate for macOS 10.13.x High Sierra systems using Centrify Group Policy and/or cannot add a mobile account as a FileVault unlocker account
We noticed that the recovery key doesn’t appear to send back to Active Directory.
Due to the behavior changes of enabling Filevault2 on High Sierra (SecureToken), enabling Filevault will not trigger the restart of Mac, while the recovery key transfer is triggered during the startup of adclient. Therefore, resulting that the recovery key not being sent back to Active Directory as expected.
We just need to add one more step after enabling FileVault, as below would be an example of how FileVault should be enabled in 10.13.x along with Centrify agent version 5.5.0 or above.
1. On Domain Controller, open Server Manager, then go to Features, choose “Add Features” and add below feature:
- Remote Server Administration Tools
- Feature Administration Tools
- BitLocker Drive Encryption Administration Utilities
2. On the Mac, install Centrify agent version 5.5.0 or above and join domain via Centrify
3. Set “Managed By” user (for example, mobileu1) in ADUC for the joined Mac computer object at Active Directory
4. Login to the Mac as “mobileu1” and trigger the creation of mobile account
5. Log back in as “macadmin”, run:
#sudo sysadminctl -adminUser macadmin -adminPassword <password> -secureTokenOn mobileu1 -password <password>
6. Logout "macadmin", log back in as the mobile user.
7. Logout the mobile user to trigger the FileVault Encryption.
8. Log back in as the "macadmin" and Restart Centrify agent by running:
#sudo /usr/local/share/centrifydc/bin/centrifydc restart
7. On domain, check the Mac computer object’s AD Properties -> Under “BitLocker Recovery” tab, see if the recovery key is shown