Filevault 2 enabled on users without secure token

jclark27
New Contributor III

Hey there all!

Apologies for another topic about secure tokens. I really didn't see many comments about the situation I am currently in.

From the multiple articles I have read about secure tokens, including comments from this derflounder post, it appears that if no users have any enabled security token, you will be unable to enforce FV2. I have of course run:

sudo sysadminctl interactive -secureTokenStatus username

on every account and it seems to be "disabled". I tried to remove the apple setup file in order to create a user from the GUI, but even then it will show that newly created user also as "disabled". At this point I am assuming I will need to erase the machine and setup the device with a proper user account. But I am wondering if this is still true? I only ask because I took one of the machines and noticed I had the ability to go into the GUI and manually enable Filevault 2 in the security preferences. I then selected the account I want to enable it for, had them enter their password, and it immediately started encrypting. So it sorta appears that even though these local users were disabled for security tokens, it still allowed me to enable them for FV via the Mac OS security preferences.

Is this odd behavior or has anyone else seen this? And potentially will this cause us major problems if we went ahead and did this? I would imagine if the gui lets you turn it on and select the desired user, we are good to go, at least for the short term of getting it enabled for the handful of computers we need it for.

Thanks for your time

3 REPLIES 3

hkabik
Valued Contributor

Security Tokens won't typically show as enabled until FV2 has been enabled for the user, even if the user is viable for a token (first user created, etc.)

Enable FV2, restart, then check again for the token.

sshort
Valued Contributor

@jclark27 I only work with APFS-formatted machines, but I have heard from others that if you're still on HFS+ then the behavior you saw is true. I've been fortunate to not encounter an already-deployed machine not able to enable FV because of the lack of a token, but in various deployment tests I've definitely seen a situation where every account was marked DISABLED on APFS and I was unable to enable FileVault for anyone until I wiped the machine.

If only Apple provided some documentation...

jclark27
New Contributor III

right @sshort ?? ahah...ahh well....

Thanks so much for the responses guys much much obliged. I guess so far if I have the ability to actually enable it, Ill just go ahead and do it. Seems to be working so far. It only appears to be a problem on a handful of machines anyhow. And thanks @hkabik ...I did not realize this.

Best