I want my MBP to be unlocked with Disk Encryption Password before getting access to the login screen. (read : I want to have two passwords prompts before the MBP can be used)
Therefore, I made a clean (re)install of High Sierra and chose APFS Encryted. However the subsequent created admin account has a security token, which seems to be my issue.
Now on startup I have the choice between the admin account and the Disk Encryption Password for others accounts with a disabled Token.
I tried the following :
- Tried to remove myself (aka admin) from having the Secure Token with
sysadminctl -secureTokenOff adminbut I end up with the following error :
Operation not permitted without a secure token unlock.
However I do well have a one (sysadminctl -secureTokenStatus admin shows ENABLED)
- Tried to remove myself from being able to unlock the disk with
fdesetup remove -user adminbut as I'm the only user, I got the followingUser could not be removed because it's the last OS user on the Volume
In short, how can I force the Disk Encryption Password prompt for ALL users, including admins ?
It makes echo to this post : Prompt for encrypted disk password on startup
Note :
On a buggy install of HighSierra, I ended up with an admin account without Security Token, and it worked as intended. I had to go through the Disk Encryption Password prompt before anything else.
However I re-installed MacOS because this situation made me unable to access the terminal from the MacOS Recovery (I had a error message saying that no admin with the correct statuts (read Token) with was found on the system)
Best Answer
Ok, so here is half an answer.
fdesetup remove -user admin. Meanwhile its SecureToken switch to Off.That's not ideal as this may break some stuff (See my Note in the initial post)