IMac – a Secure Token and how to get an admin users that has one

I have an iMac 2017 with a FusionDrive on which FileVault cannot not be enabled. The situation is summed up in this reddit post. The problem boils down to: I have no admin user who has a secure token and it seems like I cannot get one. This can be confirmed by running:

sysadminctl interactive -secureTokenStatus USER_NAME

for every user. It always comes back with

Secure token is DISABLED for user USER_NAME

The first setup from factory settings did not result in a user with a Secure Token, and I tried to:

Delete /var/db/.AppleSetupDone to setup a new admin account. Result: A new admin account that slo does not have a token.
Reinstall MacOS High Sierra: First created admin user does not have secure token.

It seems that this is either intentional (because of the Fusion Drive?) or a bug in High Sierra. With exactly the same procedure on a Macbook Pro 2017 I get an admin user with a Secure Token and that user can manage FileVault and give secure tokens to other users.

Since I want to use FileVault, I also tried to reformat the main disk with an encrypted file system, reinstalling MacOS and restoring from time machine backup. This worked, FileVault is enabled, but now I have to enter the disk password every time the computer boots (before the login screen). I don't want this, I want to unlock the disk with a user password.

What can I do to get an admin user with a secure token?

Best Answer

Just migrated to a new 2018 MacBook Pro, and somehow my original account (an admin user) was created without a secure token during the migration. I even tried creating a new admin user, logging into that user and trying to run sysadminctl -secureTokenOn justin -password - but getting:

2018-07-30 14:17:56.552 sysadminctl[886:18232] Operation is not permitted without secure token unlock.

So then I tried the following providing adminUser and adminPassword flags as my original user justin:

sysadminctl -secureTokenOn justin -password - -adminUser justin -adminPassword -

Enter password for justin :

Enter password for Justin K :

2018-07-30 14:31:05.262 sysadminctl[998:49031] setSecureTokenAuthorizationEnabled error Error Domain=com.apple.OpenDirectory Code=5101 "Authentication server refused operation because the current credentials are not authorized for the requested operation." UserInfo={NSLocalizedDescription=Authentication server refused operation because the current credentials are not authorized for the requested operation., NSLocalizedFailureReason=Authentication server refused operation because the current credentials are not authorized for the requested operation.}

Essentially it seems since non of my users have a secure token, there is no way to grant a secure token. The only downfall is the following:

When I cold start the machine I have to enter a disk decryption password, which results in entering my password twice (once for disk decryption and once for the user account).
When I try to turn off FileVault by clicking the button nothing happens. The same behavior when clicking the warning button "Some users are not able to unlock the disk [Enable Users...]" nothing happens.

Best Answer

Related Solutions

MacOS – Hibernation mode shows incorrect value

MacOS – How to lock FileVault on logout

Related Question