macOS High Sierra: Mobile (AD) accounts unable to unlock FV Encrypted Disk

Posted on by

I set up two MacBook Pro w/Touchbar for two of my users.  Both computers came pre-installed with macOS High Sierra 10.13.1. I upgraded both to 10.13.2. Installed Munki, let Munki install required software, and then bound the computers to our Active Directory domain.

Next, I encrypted both computers with FileVault. Once the computers finished encrypting it was time to hand them off to the users. I had the users log on to the machine. Since I had already encrypted the computers I went to system preferences, FileVault, and clicked on Enable Users. Had users enter password and got the green check confirming that the user account was enabled. Rebooted Machine.

Upon reboot, I noticed that the Users account did not show up as an account that could unlock the encryption. Only my local admin account appeared. Because I didn’t have much time and these users needed their computer, I used the fdesetup command to add their user account to be able to unlock encrypted disk. On both computers this method worked. After I ran the command and had the user enter their password they were now able to unlock the filevault encryption.

I decided to research if anyone else had experienced this problem. The #security channel in the MacAdmins Slack had ongoing conversations about this issue. It seems that the security token is not being passed to the mobile account, which prevents that account from showing up as able to unlock the FV disk.

What worked for me on both of these computers was to add the user using the command line utility FDESetup.

Run the following command:

sudo fdesetup add -usertoadd username

It will prompt for the AD user password. Once they enter their password they should be able to unlock Filevault enabled disk.

Another suggestion I have seen, but have not tested is to run the following command from the local account once you have added your AD user account to FileVault.

sudo diskutil apfs updatePreboot /

Hopefully Apple will fix this issue soon. Until then, at least you can enable the account via command line if the GUI way does not work.

2 thoughts on “macOS High Sierra: Mobile (AD) accounts unable to unlock FV Encrypted Disk

Leave a comment