As part of Apple File System’s FileVault encryption on mac OS High Sierra, Apple introduced Secure Token. This is a new and undocumented account attribute, which is now required to be added to a user account before that account can be enabled for FileVault on an encrypted Apple File System (APFS) volume. To help make sure that at least one account has a Secure Token attribute associated with it, a Secure Token attribute is automatically added to the first account to log into the OS loginwindow on a particular Mac. Once an account has a Secure Token associated with it, it can then create other accounts which will in turn automatically be granted their own Secure Token. For the consumer user, this usually takes the following form: • Secure Token is automatically enabled for the user account created by Apple’s Setup Assistant. • The Setup Assistant-created user account with Secure Token then creates other users via the Users & Groups preference pane in System Preferences.

Those accounts get their own Secure Token automatically. However, Active Directory mobile accounts and user accounts created using command line tools do not automatically get Secure Token attributes associated with these accounts. Without the Secure Token attribute, those accounts are not able to be enabled for FileVault. Update 1-20-2018: has pointed out an exception to the rule. Not strictly true.

If you bind to AD and suppress SetupAssistant, the first mobile AD user logging in will indeed get a SecureToken. There are undocumented subtleties Apple follows in bootstrapping the first SecureToken user from none. — mikeymikey (@mikeymikey) Instead, the l utility must be used to grant Secure Token to these accounts as a post-account creation action. In that case, the sysadminctl utility must be run by a user account with the following pre-requisites: • Administrative rights • Secure Token For more details, please see below the jump. There are a couple of ways to check from the command line if a particular account has the Secure Token attribute associated with it: sysadminctl -secureTokenStatus username_goes_here Note: The sysadminctl utility has multiple ways to provide the needed admin authorization to run. -read /Users/username_goes_here AuthenticationAuthority You can also check in Directory Utility to see if a Secure Token entry appears under the account’s Authentication Authority attribute.

mac

Mac mail for windows 7 download. I recieve systematic passwords request from Key chain and when I want to reset it I recieve a message indicating unable to authorise this operation. TS1544 I cannot reset my keychain, I recieve a message indicating unable to obtain authorization for this operation.