Secure Token on macOS
Apple File System (APFS) in macOS 10.13 and later changes how FileVault encryption keys are generated. On APFS volumes, the keys are generated either during user creation or during the first interactive login by a user of the Mac. This new implementation of the encryption keys — when they are generated, and how they are stored — are a part of the SecureToken mechanism. Specifically, a SecureToken is a wrapped version of a Key Encryption Key (KEK) protected by a user's password.
Password Changes
Resetting passwords on macOS for users who have SecureToken will break the trust of the token. The user will no longer be able to turn on FileVault.
How do users get SecureToken?
In GoLive > Users, you will see users with and without the SecureToken label like show below:
SecureToken is only granted to the user who is created during the initial setup wizard.
The other mechanisms to create users with SecureToken are the following:
1. The Add User functionality in Automated Device Enrollment.
2. Using the syadminctl command to create a new user or enable an existing user for SecureToken, this must be performed by a user who has SecureToken. If no users have SecureToken, you will not be able to enable SecureToken.
Enabling SecureToken For a User
If a user is found to have Secure Token disabled for their account and you would like to enable it, follow the steps below.
(Please note, this process must be done locally on the device, there is currently no other method to accomplish this otherwise):
1. Login to a user that has Secure Token Enabled for their account.
2. Next you will need to open up terminal and execute the following command:
sysadminctl interactive -secureTokenOn username -password password
Where username and password are to be replaced with the username and password of the user you wish to enable Secure Token for.
3.Once this command is executed you will be prompted to enter the password of the current user to unlock:
4. After entering the password and clicking unlock you should receive a confirmation message:
5. Confirm SecureToken for a user in the GoLive > Users tab or from the devices page.
You can also check that by running the command for the specific user:
sysadminctl -secureTokenStatus username
Once this process is complete, users with SecureToken enabled should be able to enable FileVault.
It is important to note that a user created outside of the device's System Preferences/Users & Groups, will most likely not have Secure Token enabled by default. This is a security implementation by Apple to prevent users from being granted access to a device if they manage to create a user by any other means.
If you experience any problems during this process, please feel free to reach out to Addigy support for further guidance or troubleshooting steps.