How to add an Active Directory user to FileVault
Technical Articles ID:
KB79648
Last Modified: 2022-10-14 06:28:04 Etc/GMT
Problem
When MNE is deployed, you need to add Active Directory (AD) users to FileVault. By default, FileVault adds the currently logged-on local user on the OS X system as a FileVault-enabled user.
But, AD users on Mac OS X are not added as FileVault users, if either of the following isn't available on the system:
- AD user home folder
- Mobile account
Solution
1
To add the AD user as a FileVault user:
- On the Mac, open Applications, System Preferences, Users & Groups.
- Select Login Options, and then click the lock. Now, make changes and type the administrator's user credentials.
- Click Edit next to registered Network Account Server, and then click Open Directory Utility.
- Click the lock. Now, make changes and type the administrator's user credentials.
- To open the Advanced Options, select and double-click Active Directory under Name.
- In the User Experience section under Advanced Options, enable Create mobile account at login, and then click OK to save your changes.
- Quit the Directory Utility application and System Preferences.
- Log off and log back into OS X with the AD user credentials.
NOTE: For systems on High Sierra that use the macOS High Sierra with Apple File System (APFS) file system, see Solutions 2 and 3 below.
- Deploy MNE from ePolicy Orchestrator. To turn on FileVault, enforce the policy and restart the Mac.
- When prompted, type the AD user password to turn on FileVault.
Changes in macOS High Sierra around mobile accounts and FileVault require extra steps to be taken to activate and manage FileVault.
The extra steps are needed when the system uses the macOS APFS. See the Apple support document for more details.
NOTE: Make sure that you've completed steps 1–8 of the previous procedure before following these steps.
- Open Applications, System Preferences, Security & Privacy.
- Click the lock and type the administrator's user credentials.
- Click Enable Users.
- Select the users and click Enable User to enable the selected users as FileVault users.
Solution
2
On macOS 10.13.0–10.13.3 using APFS:
AD users to log on and create a mobile account:
- On the Mac, open Applications System Preferences, Users & Groups.
- Select Login Options and click the lock. Now, make changes and type the administrator's user credentials.
- Click Edit next to registered Network Account Server, and then click Open Directory Utility.
- Click the lock. Now, make changes and type the administrator's user credentials.
- To open the Advanced Options, select and double-click Active Directory under Name.
- In the User Experience section under Advanced Options, enable Create mobile account at login, and then click OK to save your changes.
- Quit the Directory Utility application and System Preferences.
- Log off and log back into OS X with the AD user credentials.
After an AD user has logged on and created a mobile account:
- Log on with a local administrator account that owns the Secure Token (usually the first provisioned local user).
- On the terminal, type the following command:
sudo sysadminctl interactive -secureTokenOn <AdUser> -password –
- Type the local administrator credentials when prompted with the dialog: "sysadminctl needs to unlock your disk"
- When prompted in the terminal with Enter password for <AdUser>, type the AD password for this user.
- Log on again with the AD user account.
- To turn on FileVault, deploy MNE from ePolicy Orchestrator, enforce the policy, and restart the Mac.
- When prompted, type the AD user password to turn on FileVault.
Solution
3
On macOS 10.13.4 and later using APFS:
Scenario 1
- When the AD user first logs on, the pop-up window below displays:
Enter a SecureToken administrator’s name and password to allow this mobile account to log in at startup time.
- Type the administrator credentials for the owner of the Secure Token.
- To turn on FileVault Deploy MNE from ePolicy Orchestrator, enforce the policy and restart the Mac.
- When prompted, type the AD user password to turn on FileVault.
Scenario 2
Take the following steps only if steps 2 and 3 above have been followed. But, before you assign the secure token, which results in MNE failing to activate:
- Log on with a local administrator account and restart the system and when prompted by FileVault.
- To complete the FileVault activation, type the administrator password.
- Log on with an administrator account again and go to System Preferences, Security & Privacy, FileVault.
- Click the padlock and enter the credentials.
- Click Enable Users next to the warning "Some users are not able to unlock the disk."
- Click Enable User for each AD user and enter the AD user's password.
- To add the user to the preboot log on the terminal:
- For HFS systems, type sudo fdesetup sync
- For APFS systems, type diskutil apfs updatepreboot <diskid>
NOTE: The <diskid> is the identifier of the system volume.
- To allow the AD user to log on, reboot the system.
|