Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-10410: Recovery key not send back to Active Directory for OS X 10.13.x and Centrify 5.5.x after enabling FileVault

Centrify Identity Service, Mac Edition ,  

1 June,18 at 07:20 AM

Applies to: Centrify Identity Service, Mac Edition version 5.5.0 or above

Problem:
 
After performing the following steps mentioned in KB for enabling Fileault2 on 10.13.x:
 
KB-10010: FileVault2 fails to initiate for macOS 10.13.x High Sierra systems using Centrify Group Policy and/or cannot add a mobile account as a FileVault unlocker account
 
We noticed that the recovery key doesn’t appear to send back to Active Directory.
 
Cause:
 
Due to the behavior changes of enabling Filevault2 on High Sierra (SecureToken), enabling Filevault will not trigger the restart of Mac, while the recovery key transfer is triggered during the startup of adclient. Therefore, resulting that the recovery key not being sent back to Active Directory as expected.
 
Resolution:
 
We just need to add one more step after enabling FileVault, as below would be an example of how FileVault should be enabled in 10.13.x along with Centrify agent version 5.5.0 or above.
 
1. On Domain Controller, open Server Manager, then go to Features, choose “Add Features” and add below feature:
 - Remote Server Administration Tools
 - Feature Administration Tools
 - BitLocker Drive Encryption Administration Utilities

 
2. On the Mac, install Centrify agent version 5.5.0 or above and join domain via Centrify
 
3. Set “Managed By” user (for example, mobileu1) in ADUC for the joined Mac computer object at Active Directory
 
4. Login to the Mac as “mobileu1” and trigger the creation of mobile account
 
5. Log back in as “macadmin”, run:
#sudo sysadminctl -adminUser macadmin -adminPassword <password> -secureTokenOn mobileu1 -password <password>
 
6. Logout "macadmin", log back in as the mobile user.

7. Logout the mobile user to trigger the FileVault Encryption.

8. Log back in as the "macadmin" and Restart Centrify agent by running:
#sudo /usr/local/share/centrifydc/bin/centrifydc restart

7. On domain, check the Mac computer object’s AD Properties -> Under “BitLocker Recovery” tab, see if the recovery key is shown

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

No related Articles