macOS High Sierra: Mobile (AD) accounts unable to unlock FV Encrypted Disk

I set up two MacBook Pro w/Touchbar for two of my users.  Both computers came pre-installed with macOS High Sierra 10.13.1. I upgraded both to 10.13.2. Installed Munki, let Munki install required software, and then bound the computers to our Active Directory domain.

Next, I encrypted both computers with FileVault. Once the computers finished encrypting it was time to hand them off to the users. I had the users log on to the machine. Since I had already encrypted the computers I went to system preferences, FileVault, and clicked on Enable Users. Had users enter password and got the green check confirming that the user account was enabled. Rebooted Machine.

Upon reboot, I noticed that the Users account did not show up as an account that could unlock the encryption. Only my local admin account appeared. Because I didn’t have much time and these users needed their computer, I used the fdesetup command to add their user account to be able to unlock encrypted disk. On both computers this method worked. After I ran the command and had the user enter their password they were now able to unlock the filevault encryption.

I decided to research if anyone else had experienced this problem. The #security channel in the MacAdmins Slack has ongoing conversation about this issue. It seems that the security token is not being passed to the mobile account, which prevents that account from showing up as able to unlock the FV disk.

What worked for me on both of these computers was to add the user using the command line utility FDESetup.

Run the following command:

sudo fdesetup add -usertoadd username -keychain

It will prompt for the AD user password. Once they enter their password they should be able to unlock Filevault enabled disk.

Another suggestion I have seen, but have not tested is to run the following command from the local account once you have added your AD user account to FileVault.

sudo diskutil apfs updatePreboot /

Hopefully Apple will fix this issue soon. Until then, at least you can enable the account via command line if the GUI way does not work.

Keeping up with the Mac Admins

It’s been a while since I’ve been able to sit down for a moment and write. There are many posts I’d like to write, or, at least get started on, but I have not had the time. I am currently studying for my Linux + certification. Studying has consumed my already limited time.

I wanted to take a break from studying and write a quick posts for those who may have just started as a Mac Admin. I don’t claim to be a Mac Guru, but along the way I have found some valuable resources, which have taught me a lot about Mac administration. I thought I’d share these invaluable resources with you.

Believe it or not Twitter is a wealth of knowledge for Mac Administrators. If you don’t have a Twitter account, I suggest you sign up. If you search #macadmins you can find a lot of current information on what’s happening in the Mac community. You will also figure out who you should follow on Twitter for the current events in Mac administration.

Next. If you’ve never heard of Slack or  don’t know about the Mac Admins slack channel, you need to sign up right away. There are over 12 thousand Mac Admins on the Mac Admins slack channel. You can join channels such as HighSierra, Munki, MicrosoftOffice, etc. The list goes on and on. To sign up for slack go to https://macadmins.herokuapp.com/ and create an account. You won’t be sorry. Become an active participant. You will learn so much, and contribute your knowledge.

Finally, I highly recommend the MacAdmins podcast hosted by Tom Bridge. New episodes are published every Monday. The podcast is entertaining and informative. The information I have learned from this podcast, I have been able to share with my organization to solve real world problems. Just go there. Listen. You won’t regret it.  Search for MacAdmins in your podcast player or go to https://podcast.macadmins.org/ for the shows and show notes.

Anyway, back to studying…

Mac OS X Active Directory Binding issues

I think it’s pretty common knowledge that Macs in an Active Directory environment tend to run into binding issues. In our environment we have issues attempting to bind, as well as already bound macs losing binding.

Recently the problem got a lot worse in our AD environment. It’s a rare occasion that I can get a Mac to bind to the domain on the first attempt. Usually I get an error message “Authentication Server cannot be contacted”. If I’m using the Directory Services GUI, I will have to sit at the computer and repeatedly enter the user name and password to keep attempting to bind computer. Sadly, I’ve counted and it’s taken over 30 attempts in some cases to get a computer to bind. Many of my fellow SA’s experience the same problems.

The other problem is that we are a large organization with sites all across the country. The binding issues seems to be isolated to our center. I’ve opened up several tickets with the network and domain controller team, but they can’t replicate the problem on their end. At this point we are stuck in a finger pointing game.

The following commands can help you troubleshoot Active Directory issues with your Mac. Continue reading

GDAL image not found error

This post is more of a reminder to myself if I ever run into this issue again. If it helps someone else who runs into this issue, that’s even better.

We are a science heavy shop and most of our users write programs using Python. To help maintain a consistent environment we install Anaconda Python for our users to use. This way the programming environment is contained in the Anaconda environment and if anything breaks it’s easy enough to trash the Anaconda folder and start all over.

One of my users created a Python Env installing Python 3.5 so he could move from Python 2.7 to 3.5. When he went to use GDAL, specifically the gdalwarp command, he got the following error: image not found. After repeated creations of new environments and a couple uninstalls I found some info on stackoverflow that helped. It seems the version of gdal installed by Anaconda was 2.0.0 and not compatible with the newer versions of python. After running the following command he was able to use GDAL and gdalwarp commands without issue.

conda install -c conda-forge gdal=2.1.3

 

Getting Started with Adobe CC and Munki

I have been tasked by my organization to install Adobe Creative Cloud apps on our twenty plus users computers who use it. We don’t utilize the teams or enterprise dashboard. Just the trusty ol’ serial number and Creative Cloud Packager.

This post is going to focus on getting Adobe Creative Cloud apps added to the Munki repo and successfully pushed out to users with no errors or Munki continuous install loops. The end goal is for the user to install the Adobe CC apps using Munki, and not require the user to sign in to Creative Cloud Desktop App in order to use the program. When the program is launched it should open and work.

Note: This post assumes you have some basic knowledge of Munki, MunkiAdmin (GUI for Munki) and a Munki Repo is setup and running.

Tools

Munki Tools, MunkiAdmin (GUI for Munki), Adobe Creative Cloud Packager, TextWrangler

Preparation

Continue reading