macOS High Sierra: Mobile (AD) accounts unable to unlock FV Encrypted Disk

I set up two MacBook Pro w/Touchbar for two of my users.  Both computers came pre-installed with macOS High Sierra 10.13.1. I upgraded both to 10.13.2. Installed Munki, let Munki install required software, and then bound the computers to our Active Directory domain.

Next, I encrypted both computers with FileVault. Once the computers finished encrypting it was time to hand them off to the users. I had the users log on to the machine. Since I had already encrypted the computers I went to system preferences, FileVault, and clicked on Enable Users. Had users enter password and got the green check confirming that the user account was enabled. Rebooted Machine.

Upon reboot, I noticed that the Users account did not show up as an account that could unlock the encryption. Only my local admin account appeared. Because I didn’t have much time and these users needed their computer, I used the fdesetup command to add their user account to be able to unlock encrypted disk. On both computers this method worked. After I ran the command and had the user enter their password they were now able to unlock the filevault encryption.

I decided to research if anyone else had experienced this problem. The #security channel in the MacAdmins Slack has ongoing conversation about this issue. It seems that the security token is not being passed to the mobile account, which prevents that account from showing up as able to unlock the FV disk.

What worked for me on both of these computers was to add the user using the command line utility FDESetup.

Run the following command:

sudo fdesetup add -usertoadd username -keychain

It will prompt for the AD user password. Once they enter their password they should be able to unlock Filevault enabled disk.

Another suggestion I have seen, but have not tested is to run the following command from the local account once you have added your AD user account to FileVault.

sudo diskutil apfs updatePreboot /

Hopefully Apple will fix this issue soon. Until then, at least you can enable the account via command line if the GUI way does not work.

Mac OS X Active Directory Binding issues

I think it’s pretty common knowledge that Macs in an Active Directory environment tend to run into binding issues. In our environment we have issues attempting to bind, as well as already bound macs losing binding.

Recently the problem got a lot worse in our AD environment. It’s a rare occasion that I can get a Mac to bind to the domain on the first attempt. Usually I get an error message “Authentication Server cannot be contacted”. If I’m using the Directory Services GUI, I will have to sit at the computer and repeatedly enter the user name and password to keep attempting to bind computer. Sadly, I’ve counted and it’s taken over 30 attempts in some cases to get a computer to bind. Many of my fellow SA’s experience the same problems.

The other problem is that we are a large organization with sites all across the country. The binding issues seems to be isolated to our center. I’ve opened up several tickets with the network and domain controller team, but they can’t replicate the problem on their end. At this point we are stuck in a finger pointing game.

The following commands can help you troubleshoot Active Directory issues with your Mac. Continue reading