With the release of macOS High Sierra, Apple added a new user attribute called Secure Token. This user attribute is required to interact and manipulate the use of Full Disk Encryption (called FileVault) on macOS devices with an APFS boot volume. This attribute is only granted in certain scenarios and in most cases, once the first Token is granted to a user, subsequent Tokens can only be granted by users already with a token (similar to how certificate trust with Certificated Authorities work).
What devices would this apply to?
Secure token applies to devices running macOS High Sierra (10.13) with APFS (the default option for devices with an SSD/Flash Drive), or devices running macOS Mojave (10.14) and newer (these will default to using APFS regardless).
How to guarantee a Secure Token is granted
The following scenarios will guarantee a user has a secure token:
1) If the user is created via the initial Setup Assistant* it will get a Secure Token
2) If a device hasn't issued a Secure Token yet, and is bound to AD, and the setup assistant suppressed, the first Mobile AD user account to login via the login window will get a Secure Token
3) If a 'require FileVault' configuration profile is deployed before the first user logs in, this user will gain a Secure Token**
4) If a user is enabled for FileVault in System Preferences by an Admin user who has a Secure Token already, this user will get a Secure Token
5) Using the `sysadminctl` command as an Admin user who has a Secure Token already on another user, this user will get a Secure Token
6) Using the `sysadminctl` command as an Admin user who doesn't have a Secure Token, and no initial Token has been issued, on another user, both this user and the Admin user will get a Secure Token**
* There is also a bug where if this user is not allowed to be an Admin (via the DEP controls) this can fail. The solution is to allow this user to be an Admin, then demote them later in the deployment process.
** macOS 10.14.2 onwards
How to check if a user has a Secure Token
Run the below command to find if a local user has a Secure Token, replacing "[username]" with the username:
/usr/sbin/sysadminctl interactive -secureTokenStatus [username]
Please Note: `interactive` is only required on Apple versions under 10.13.4 .
The general advice for Secure Token is:
- If using 1:1 deployments, allow the user to be the first person to log into a newly deployed device (rather than any service account)
- If using 1:1 deployments, allow the user to create an account via the Setup Assistant. Allow this user to be a local admin during this setup (they can be demoted post deployment if required)
- If using an AD user, allow the user to be the first person to log into a newly deployed device (rather than any service account)
- It is strongly discouraged to use FileVault with multiple AD logins on a single device (such as a shared device)
- It is recommended to not use AD logins with FileVault, instead utilising local accounts and tie-in solutions such as NoMAD, Jamf Connect or JumpCloud.
If you require further assistance or support, please contact our support team.