Want to highlight a helpful answer? Upvote!

Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Orion Poplawski
Orion Poplawski Author
User level: Level 1
13 points

Can a non-admin user be added to APFS FileVault?

Mac OS 10.14.6. System is joined to Active Directory. I cannot get a non-admin user added to the FileVault unlock screen. diskutil apfs UpdatePreboot / produces the following error for the user:


UpdatePreboot: Considering APFS Crypto User XXX
UpdatePreboot: Defaulting and requiring that this be an Open Directory User
UpdatePreboot: Treating this APFS Crypto User to be, and requiring to match, an Open Directory User
UpdatePreboot: Correlated APFS Volume Crypto User with Open Directory User XXX aka "USERNAME"
UpdatePreboot: Error for this processed user was -69567

Admin Active Directory users are added. Both types have SecureTokens assigned to them. We would really prefer our users login without admin accounts.

Mac mini 2018 or later

Posted on Sep 13, 2019 3:08 PM

Reply
Question marked as Best reply
User profile for user: Orion Poplawski
Orion Poplawski Author
User level: Level 1
13 points

Posted on Sep 19, 2019 10:01 AM

Looks like a couple things may not have been done properly when this account was created. I manage to resolve by adding a "Full Name" to the account (which was missing). Then manually removing and re-adding the user to filevault with fdesetup.

View in context

Similar questions

6 replies
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,685 points

Sep 19, 2019 9:14 AM in response to Orion Poplawski

Thanks for confirming it is a mobile account.


For your information it has historically been possible to convert a standard mobile account in to a mobile account with local admin privileges. This may or may not be acceptable to your IT department but to do this you do the following.


  1. Ensure the mobile account has been created (which you have), it will normally at this point be a normal user level account
  2. Login as a local admin account
  3. Using the local admin account go to System Preferences -> Users & Groups
  4. Modify the mobile account to give it local admin privileges


It will still be a mobile account and will still sync its credentials to the directory server. In theory this should not be necessary and I can certainly confirm local non-admin accounts can be used with FileVault2.

Reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,685 points

Sep 19, 2019 3:50 AM in response to Orion Poplawski

I cannot tell from your post if this will apply but it is worth checking.


Only users that have an account on the Mac can be added to the list. This is because at the point you see the FileVault2 login window the computer is not actually running the full macOS operating system it is running a stripped down 'preboot' environment and this means not only does it not know how to connect to your directory server i.e. Active Directory it is not even connected to your network.


What you can do is use a 'mobile account' which is a local account automatically created and synced to an active directory account. Otherwise you have to use a locally created user account.


It should be noted that quite sometime ago Apple officially discontinued support for 'portable home directory' user accounts, has made network login accounts effectively unusable due to numerous issues and even mobile accounts are becoming more and more of a problem. A solution that gives you most of the benefits of mobile accounts with relatively non of the pain is to use Nomad to 'sync' a local account to active directory. See - https://nomad.menu/

Reply

Can a non-admin user be added to APFS FileVault?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up