Body
Objective
When a macOS device is bound to Active Directory (AD), a user's FileVault/Secure Token password can fall out of sync with their current AD credentials. This can result in the following behaviors:
- A user is prompted to enter credentials twice when starting their Mac from a cold boot in a FileVault encrypted state. The first time with their old AD credentials and the second with their new credentials.
- A user whose account reports having a Secure Token is unable to enable FileVault Encryption on a Mac.
- A user whose account reports having a Secure Token on an Apple Silicon Mac is unable to authenticate the password prompt when triggering a macOS Update.
Users
Before You Begin
- Ensure the user is Secure Token enabled on the device.
- Ensure this is an AD account. If the account is a local account, you may be running into a different issue.
- Verify that the user has a current backup of their data. Modifying account authentication settings could result in an unexpected loss of access to a user account.
Steps
To bring a FileVault/SecureToken credential and the AD credential back into sync:
- Find the "Device ID" of the Secure Token volume in Disk Utility. The secure token volume is the "APFS System Volume", which typically lives next to the "Data" volume in the Macintosh HD volume group. In this case "disk3s1"
- Execute the following command where $USER is the name of the user out of sync: sudo fdesetup list | grep $USER
- It will return something like: USER,27E97FDA-252E-1D28-97E2-E11278DB2D21
- Copy the disk and UUID into a command: diskutil apfs changePassphrase disk3s1 -user 27E97FDA-252E-1D28-97E2-E11278DB2D21
- You will be prompted for the old password and the current password.
If everything works properly, you will be able to FileVault encrypt the device with this user account once again and can also pass secure token to other users. This is also helpful for devices that have out-of-sync FileVault and AD logins and are forced to login twice.