As of macOS High Sierra, users on an APFS volume are required to have a SecureToken in order to enable and disable FileVault encryption or unlock an encrypted disk. This EA is designed to reliably identify and report all users on macOS 10.13 and above that have a SecureToken. This is done using the diskutil binary rather than with the sysadminctl binary, as this has been known to report falsely in certain situations. The device must be running at least macOS 10.13.0 and the boot volume being APFS. If these criteria are not satisfied the EA will finish and report that the device was ineligible.