Mojave FileVault/AD pw mismatch fix

sshort
Valued Contributor

I've seen a couple of threads on this issue, but I thought I'd share a script that I use in Self-Service in case anyone has a need. There's interactive osascript prompts to revoke & reassign securetoken, and then update the preboot volume to resolve the issue. No need for fdesetup.

If you have a mobile AD user on Mojave and the password is reset off-device (like in AD/Okta/or a Windows PC) then the new network password never syncs with FileVault, and the login window password will sometimes revert to the "old" password if the user is off-network.

I'm also using LAPS at my org, so this script pulls the current LAPS pw from an extended attribute for use with sysadminctl, but you can easily take that variable out, if needed.

15 REPLIES 15

boberito
Valued Contributor

I didnt know about

dscl /Local/Default -authonly $currentUser $userNetworkPass

was a way to verify the users password. I like that!

jwojda
Valued Contributor II

thanks, I was hoping they would have resolved this in the 10.14.3 release but haven't had an opportunity to check.

jubei
New Contributor II

This is the first I've heard of this FileVault password sync bug. Does the same thing happen with NoMAD? I have the NoMAD setting turned on in my org to update passwords via NoMAD if they change elsewhere.

boberito
Valued Contributor

@jwojda supposedly 10.14.4 fixes it. I've yet to test it. Just heard rumblings.

Dylan_YYC
Contributor III

Hey, thank you for making this! Im having an issue though, i managed to get it to run on a users computer and it completed without errors however it didnt fix the issue! The user can still use their old AD password and new AD password to log into the machine. Is there anyway of troubleshooting this?
Thanks!

sshort
Valued Contributor

@Dylan_YYC I would check that the local admin account being used to reissue secureToken has secureToken itself.

sysadminctl -secureTokenStatus $localUserHere

Aside from that, I did encounter a user who let their AD password expire, and this script alone did not resolve the issue. I had to use diskutil apfs list to find the UUID and disk identifier. Then use that info to populate the command below. When I get some time I will incorporate that into the existing script so it's more automated and not so manual.

diskutil apfs changePassphrase $diskIdentifer -user $UUID

rdubois
New Contributor II

10.14.4 does not fix this issue

UPDATE: After updating to 10.14.4 - attempt to login with mobile/AD account get "account locked" message.

Enter FileVault key on lock screen, at which point you will be prompted for AD password again. Logged in and issue seems to be resolved after several shutdown/restart attempts as well as making sure device is completely off network.

jwojda
Valued Contributor II

It seemed to mess up keychains and reverted my machine login (was correct) to my FileVault (incorrect) password, stopped my applewatch from working and when i tried to enable it it said my machine password and my login keychain passwords were not synced (login keychain was unlocked).

Edit: Update - Once I got into the office this morning and plugged into the LAN, the machine synced up the passwords correctly, though I haven't done a password change since installing to verify it's fixed ongoing.

koalatee
Contributor II

I also wrote this script to help update filevault passwords (wrapper for diskutil apfs changePassphrase, current user inputs old password and then new password (new password is checked for accuracy)

https://github.com/koalatee/scripts/blob/master/macOS/changeAPFSPassphrase.sh

ajb_
New Contributor II

@jubei I am using NoMAD and am finding this password sync issue with all my Mojave Macs :(

jubei
New Contributor II

So here is what I found:

If a user changes their password via NoMAD, the FV2 password gets updated.
If a user changes their password elsewhere, even if NoMAD detects and updates the password, the FV2 password does not get updated.

I put Koalatee's script in Self Service and it's updating the passwords as expected. Thank you! Hopefully Apple fixes this.

KSchroeder
Contributor

@jubei be sure to open a ticket with Apple on it, or they won't! :) Share the ticket # here so others can reference it/jump on the bandwagon when they open one.

Since installing 14.4 yesterday, I'm also seeing weirdness...my FV password was (and still is) out of sync with AD/mobile account. Will try above script to remedy that. Other items noticed:
1. Can't use TouchID to unlock TouchID Preference has "Unlocking your Mac" disabled I can re-check it, enter my password, and it accepts, but re-opening TouchID prefs has it unchecked again and if I do it too quickly, gives me "Cancelled by another authentication". Seems to be a long-standing issue going back to Sierra at least, with fix "delete your keychain" sigh
2. Unlocking system takes a long time (~15 seconds) - regardless of if I'm on company network (VPN) or fully mobile (I WFH so rarely on the physical network). Seems like it is trying to reach out to the domain to verify, then giving up?

avogel
New Contributor II

I also had the same problem that the password was not changed automatically after changing in FileVault.

For this I had written a small script for the users. Users can change the password manually in Self Service. Maybe it will help someone.

#!/bin/sh


##########################################################################
# Shellscript       :   Allows you to change the FileVault password
# Autor             :   Andreas Vogel, 31.10.2019   
##########################################################################


## variables

user=$(stat -f '%u %Su' /dev/console | cut -d ' ' -f 2)
UUID=$(dscl . -read /Users/$user GeneratedUID | awk '{print $2}')

askPassphrase () {
    osascript <<EOF - 2>/dev/null
tell application "SystemUIServer"
    activate
    text returned of (display dialog "$1" default answer "" with hidden answer)
end tell
EOF
}

jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
jamf="/usr/local/bin/jamf"


## Icon
FileVaultIcon="/Library/Application Support/JAMF/SmallFileVaultIcon.png"
ErrorIcon="/Library/Application Support/JAMF/France_road_sign_A14.svg.png"
SuccessfulIcon="/Library/Application Support/JAMF/ok-1976099_640.png"

######################################################################################################################################

## Messages
Message="
This program synchronizes the Windows password and the FileVault password.
Only proceed if the Filevault password does not match the current Windows password."

FailedPwMessage="
The verification of the password failed, please re-enter the new password."

FailedPwMessageAgain="
The input does not match again. The program is ended."

FailedChange="
The password could not be changed. Try again. If the problem persists, contact the Mac_IT."

SuccessfulChange="
Your password has been changed successfully."

######################################################################################################################################

## Query whether the user really wants to change the password. 
HELPER=$("$jamfHelper" -windowType utility -icon "$FileVaultIcon" -title "Change FileVault password" -description "$Message" -button1 "OK" -button2 "Cancel" -cancelButton "2" -defaultButton 2)
            echo "Jamf Helper Exit Code: $HELPER"

## If the user agrees, the old password and the new password will be requested. 

if [ "$HELPER" == "0" ]
then
        oldPassphrase=$(askPassphrase 'Please enter the old password.') || exit                       
        newPassphrase=$(askPassphrase 'Please enter the current Windows password.') || exit 
        newPassphrase2=$(askPassphrase 'Please enter the current Windows password again.') || exit    


## Check whether the new password matches.
        if [[ $newPassphrase != $newPassphrase2 ]]
        then 

                HELPER=$("$jamfHelper" -windowType utility -icon "$ErrorIcon" -title "Wrong Entry" -description "$FailedPwMessage" -button1 "OK" -defaultButton 1)
                echo "Exit Code: The entry did not match"

                newPassphrase=$(askPassphrase 'Please enter the current Windows password.') || exit 
                newPassphrase2=$(askPassphrase 'Please enter the current Windows password again.') || exit
        fi

## Check again. If the recheck is faulty, the tool is terminated.       
                if [[ $newPassphrase != $newPassphrase2 ]]
                then 

                    HELPER=$("$jamfHelper" -windowType utility -icon "$ErrorIcon" -title "Renewed wrong entry" -description "$FailedPwMessageAgain" -button1 "OK" -defaultButton 1)
                    echo "Exit Code: Die Eingabe war erneut falsch."

                    exit 1          
                fi

## If the tool was not closed, the password is changed.             
                    if diskutil apfs changePassphrase disk1s1 -user $UUID -oldPassphrase $oldPassphrase -newPassphrase $newPassphrase
                    then

                        printf HELPER=$("$jamfHelper" -windowType utility -icon "$SuccessfulIcon" -title "Successful Change" -description "$SuccessfulChange" -button1 "OK" -defaultButton 1)
                        echo "Exit Code: Password has been changed succesfully."

                    else

                        printf HELPER=$("$jamfHelper" -windowType utility -icon "$ErrorIcon" -title "Error" -description "$FailedChange" -button1 "OK" -defaultButton 1)
                        echo "Exit Code: Password could not be changed. Is the old password correct?"
                    fi

fi

exit 0

TPG33k
New Contributor II

Thanks @avogel. I've just added this to our Self Service for any Filevault MacBook. We've been trying to find a clean solution to this for months!

mani2care
Contributor

@avogel nice concept pls have a look user therein out of the office and try changing the domain password so needs validation check network also, for example, VPN or AD just password change its nice in this vay but Domain user is this work and what about the FileVault password change