Secure Token on macOS
Apple File System (APFS) in macOS 10.13 and later changes how FileVault encryption keys are generated. In macOS on APFS volumes, the keys are generated either during user creation or during the first interactive login by a user of the macOS Device. This new implementation of the encryption keys, when they are generated, and how they are stored are a part of the SecureToken mechanism. Specifically, a SecureToken is a wrapped version of a Key Encryption Key (KEK) protected by a user's password.
Changing passwords on macOS for users who have SecureToken will break the trust of the token. The user will no longer be able to turn on FileVault.
How do users get SecureToken?
In GoLive > Users, you will see users with and without the SecureToken label like show below:
SecureToken is only granted to the user who is created during the initial setup wizard.
The other mechanisms to create users with SecureToken are the following:
- The Add User functionality in Automated Device Enrollment.
- Using the syadminctl command to create a new user or enable an existing user for SecureToken, this must be performed by a user who has SecureToken. If no users have SecureToken, you will not be able to enable SecureToken.
Enabling SecureToken For a User
If a user is found to have Secure Token disabled for their account and you would like to enable it, follow the steps below.
(Please note, this process must be done locally on the device, there is currently no other method to accomplish this otherwise):
1. Login to a user that has Secure Token Enabled for their account.
2. Next you will need to open up terminal and execute the following command:
sysadminctl interactive -secureTokenOn username -password password
Where username and password is to be replaced with the username and password of the user you wish to enable Secure Token for.
3. Once this command is executed you will be prompted to enter the password of the current user to unlock:
4. After entering the password and clicking unlock you should receive a confirmation of successfully completing the command with the "Done!" output:
5. You can check the SecureToken of a user by navigating to GoLive > Users
Alternatively, check the Secure Token status from the devices page to confirm the user now has Secure Token enabled:
You can also check this locally by running the command for the specific user:
sysadminctl -secureTokenStatus username
Now that this process is complete, users with Secure Token enabled should be able to FileVault without any issues.
- It is important to note that a user created via any other means aside from Apple's GUI in System Preferences > Users & Groups will most usually not have Secure Token enabled by default.
- This is a security implementation done by Apple to prevent users from being granted access to a device if they manage to create a user by any other means.
If you experience any problems during this process, please feel free to reach out to Addigy support for further guidance or troubleshooting steps.
If you have an Addigy account and have additional questions, you can create a ticket by emailing firstname.lastname@example.org.
Alternatively, you can submit a support request within Addigy.