User profile for user: jannegpriv
jannegpriv Author
User level: Level 1
4 points

Unable to enable FileVault, no user has a secure token

Running a MacBook Pro (15-inch, 2017) on High Sierra 10.13.6 (17G65) and I'm trying to enable FileVault but nothing happens when I press the 'Turn on FileVault...' No pop-up, the button just goes from blue to grey.


When examining this further no user on my MBP has secure token enabled, not even the first admin user that was created at start:

$ sysadminctl -secureTokenStatus admin

2018-08-29 14:20:10.297 sysadminctl[2364:532265] Secure token is DISABLED for user Admin


Hence when trying to activate secure token on my AD-connected user, I get the following error:

$ sudo sysadminctl -adminUser admin -adminPassword xxxxxxx -secureTokenOn jangu -password xxxxx

2018-08-29 14:11:46.457 sysadminctl[2313:508279] ### Error:-14090 File:/BuildRoot/Library/Caches/com.apple.xbs/Sources/Admin_sysadminctl/Admin-67 9/addremoveuser/main.m Line:366

2018-08-29 14:11:46.457 sysadminctl[2313:508279] Operation is not permitted without secure token unlock.


It like the chicken and egg problem.


Is the only way to solve this a complete re-installation? Can I in that case use time machine to copy my account and all files/settings to at least save some time? I really need to be able to enable FileVault.


BR,


/Janne

MacBook Pro (15-inch, 2017), macOS High Sierra (10.13.6)

Posted on Aug 29, 2018 5:30 AM

Reply

Similar questions

11 replies
User profile for user: apfelpom
apfelpom
User level: Level 1
4 points

Oct 15, 2018 12:07 AM in response to jannegpriv

I had the same problem with a user migrated with migration assistant and who's password was automatically reseted, after then tried to be changed with passwd. Finally I logged in as an admin user, mv /Users/od-user to /Users/od-user-bak, got to System Preferences > User > Deleted the OD user, mv /Users/od-user back and logged in again as the OD user. I was prompted with a windows giving me the option to enter admin credentials to create a secret token for this OD account. I then make a mobile account and was able to activate FileVault2.

Reply
User profile for user: jannegpriv
jannegpriv Author
User level: Level 1
4 points

Aug 29, 2018 11:15 PM in response to leroydouglas

$ diskutil list

/dev/disk0 (internal):

#: TYPE NAME SIZE IDENTIFIER

0: GUID_partition_scheme 251.0 GB
disk0

1: EFI EFI 314.6 MB
disk0s1

2: Apple_APFS Container disk1 250.7 GB
disk0s2


/dev/disk1 (synthesized):

#: TYPE NAME SIZE IDENTIFIER

0: APFS Container Scheme - +250.7 GB
disk1

Physical Store disk0s2

1: APFS Volume Macintosh HD 109.2 GB
disk1s1

2: APFS Volume Preboot 22.0 MB disk1s2

3: APFS Volume Recovery 519.0 MB
disk1s3

4: APFS Volume VM 2.1 GB disk1s4

Reply
User profile for user: leroydouglas
leroydouglas
Community+ 2025
User level: Level 10
199,038 points

Aug 31, 2018 7:28 AM in response to jannegpriv

jannegpriv wrote:


Any more hints or tips on how to proceed investigating this?


AD= Active Directory


diskutil apfs listUsers /


Interesting post:

(including the trailing comments)

Secure Token and FileVault on Apple File System | Der Flounder


bassam on Twitter: "yes. "sudo fdsetup status" says its on.… "






Directory Utility: Active Directory integration

Reply
User profile for user: jannegpriv
jannegpriv Author
User level: Level 1
4 points

Aug 31, 2018 7:33 AM in response to Manolis_from_Prague

Sorry, AD = Active Directory connected user.


Via System Preferences/Users & Groups pressing 'Join' on the Network Account Server and adding info on your desired AD host.


Then logging in with the newly created domain user and via System Preferences/Users & Groups mark the user and click “Allow user to administer this computer” then click “Create” on Mobile account.

After that answer OK and Create on next question regarding Home folder and sync, then login/logout domain user again.


BR,


/Janne

Reply
User profile for user: jannegpriv
jannegpriv Author
User level: Level 1
4 points

Aug 31, 2018 7:48 AM in response to leroydouglas

$ fdesetup status

FileVault is Off.


$ diskutil apfs listUsers /

Cryptographic user for disk1s1 (1 found)

|

+-- 3123197B-F635-4B4A-909D-40FACC1EAFB3

Type: Local Open Directory User

Does this say anything to you?

Interesting to read that he got problems using Migration Assistant, which I also had when trying to auto-migrate data from my old MBP. The migration never succeeded, tested twice as I can recall, but got some error that I don't remember. I ended up using scp to copy all needed files and applications.

Also interesting to read that manually changing password for a user using passwd in terminal, can lead to that the secure token for that user is disabled.

BR,

/Janne

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Unable to enable FileVault, no user has a secure token

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up