FileVaulting a macOS device adds an extra layer of security to prevent data loss/breach. However sometimes FileVault can run into some hurdles before it can be properly enabled.



TABLE OF CONTENTS




Checking FileVault Status



One of the first things to check for when FileVault is failing to enable or not prompting to enable on macOS is the current status of the FileVault Encryption Process. 



To do this you can send the following command to the device from the Devices page from Scripts section:



fdesetup status


This will could return that "FileVault is Off.":




This means the FileVault Encryption process hasn't even been initiated.



The other output that the command could return is that "FileVault is Off. Deferred enablement appears to be active for 'insert_user_here':



  • If Deferred enablement is active, this means that the FileVault Encryption process has been initiated. It is important to note that the user that appears in the output of the command is the user that must complete the FileVault process on the device. 



  • The way FileVault works is that it will attempt to enable FileVault on the user that is logged in at the time the command or the MDM payload is deployed to enable FileVault. 



  • If you would like to change the Deferred Enabled user which is designated to enable FileVault, you would need to remove the deployed payload (If done via MDM) from the device.



  • If it is not possible to remove the payload (the payload could be applied to an entire policy and affects multiple devices), you can move the device into a temporary blank policy where the FileVault payload is not applied. 



  • Once the device has been moved, begin the policy deployment and the FileVault payload should be removed from the device.



Run the command to check the FileVault status, it should output that "FileVault is Off." once more:



If FileVault was enabled via the Device's GoLive > Security page, you would need to run the following command to deactivate deferred enablement:



fdesetup disable



To begin the FileVault process for the desired user, ensure they are logged in and apply the proper FileVault MDM payload or initiate it via GoLive > Security and the process should initiate. 



The user would then need to only log out and log back in for the the drive to begin encryption.




Checking SecureToken Status


One aspect that can hinder the proper enablement of FileVault is whether or not a user has Secure Token enabled. Without this, a user would not be able to complete the encryption process even if deferred FileVault enablement is active for a user.



To check on the status of which users have Secure Token enabled on a macOS device, you can execute the following command from the Devices page in the Scripts section as a Saved Script:



#!/bin/bash

for user in $(dscl . list /Users UniqueID | awk '$2 >= 500 {print $1}'); do
sysadminctl -secureTokenStatus "$user" 2>&1 | awk -F'] ' '{print $2}'
done



When executed the output should be as follows:





The tells us whether or not a user has Secure Token enabled so that we may take action to remedy it. Details on the remedy in the section that follows.




Enabling SecureToken For a User



If a user is found to have Secure Token disabled for their account and you would like to enable it, follow the steps below.


(Please note, this process must be done locally on the device, there is currently no other method to accomplish this otherwise):



1. Login to a user that has Secure Token Enabled for their account.



2. Next you will need to open up terminal and execute the following command:


sysadminctl interactive -secureTokenOn username -password password



Where username and password is to be replaced with the username and password of the user you wish to enable Secure Token for.



3. Once this command is executed you will be prompted to enter the password of the current user to unlock:





4. After entering the password and clicking unlock you should receive a confirmation of successfully completing the command with the "Done!" output:





5. Finally, check the Secure Token status from the devices page to confirm the user now has Secure Token enabled:


You can also check this locally by running the command for the specific user:



sysadminctl -secureTokenStatus username






Now that this process is complete, users with Secure Token enabled should be able to FileVault without any issues.


  • It is important to note that a user created via any other means aside from Apple's GUI in System Preferences > Users & Groups will most usually not have Secure Token enabled by default. 


  • This is a security implementation done by Apple to prevent users from being granted access to a device if they manage to create a user by any other means.


If you experience any problems during this process, please feel free to reach out to Addigy support for further guidance or troubleshooting steps.


If you have an Addigy account and have additional questions, you can create a ticket by emailing support@addigy.com.

Alternatively, you can submit a support request within Addigy.