macOS High Sierra 10.13.2 supplemental update fails to install

We haven’t quite updated our fleet of Macs to macOS High Sierra for a variety of reasons. Some of our users have admin rights and performed the update themselves. We have purchased a number of new MacBook Pro’s that came pre-installed with macOS High Sierra to replace the Macs that are no longer upgradeable.

In the last few days I have had to help a couple of my High Sierra users with an issue they had with installing the OS X 10.13.2 supplemental update. They perform the update and when the computer reboots a message pops up saying “macOS cannot be installed on your computer”. The only option is to restart computer. When the user restarts the computer, they get the same error message and end up in a reboot loop.

image1

For whatever reason it seems the installer is damaged and won’t install. Thankfully, it’s a pretty easy fix. You can boot into recovery mode holding CMD + R while computer is restarting. Go to the Apple Menu and Select Startup Disk. Select Macintosh HD (or whatever your HD name is) and reboot. This will reboot your computer and allow you to log in as normal. Go to the App store and install the supplemental update. It should install successfully this time.

macOS High Sierra: Mobile (AD) accounts unable to unlock FV Encrypted Disk

I set up two MacBook Pro w/Touchbar for two of my users.  Both computers came pre-installed with macOS High Sierra 10.13.1. I upgraded both to 10.13.2. Installed Munki, let Munki install required software, and then bound the computers to our Active Directory domain.

Next, I encrypted both computers with FileVault. Once the computers finished encrypting it was time to hand them off to the users. I had the users log on to the machine. Since I had already encrypted the computers I went to system preferences, FileVault, and clicked on Enable Users. Had users enter password and got the green check confirming that the user account was enabled. Rebooted Machine.

Upon reboot, I noticed that the Users account did not show up as an account that could unlock the encryption. Only my local admin account appeared. Because I didn’t have much time and these users needed their computer, I used the fdesetup command to add their user account to be able to unlock encrypted disk. On both computers this method worked. After I ran the command and had the user enter their password they were now able to unlock the filevault encryption.

I decided to research if anyone else had experienced this problem. The #security channel in the MacAdmins Slack had ongoing conversations about this issue. It seems that the security token is not being passed to the mobile account, which prevents that account from showing up as able to unlock the FV disk.

What worked for me on both of these computers was to add the user using the command line utility FDESetup.

Run the following command:

sudo fdesetup add -usertoadd username

It will prompt for the AD user password. Once they enter their password they should be able to unlock Filevault enabled disk.

Another suggestion I have seen, but have not tested is to run the following command from the local account once you have added your AD user account to FileVault.

sudo diskutil apfs updatePreboot /

Hopefully Apple will fix this issue soon. Until then, at least you can enable the account via command line if the GUI way does not work.