Overview
With the release of macOS High Sierra, Apple added a new user attribute called Secure Token. This user attribute is required to interact and manipulate the use of Full Disk Encryption (known as FileVault) on macOS devices with an APFS boot volume.
This attribute is only granted in certain scenarios and in most cases, once the first Token is granted to a user, subsequent Tokens can only be granted by users already with a token (similar to certificate trust with Certificated Authorities).
Applicable devices
Secure token applies to devices running macOS High Sierra (10.13) with APFS (the default option for devices with an SSD/Flash Drive), or devices running macOS Mojave (10.14) and newer (these will default to using APFS regardless).
Ensuring a Secure Token is granted
The following scenarios will guarantee a user has a secure token:
1) If the user is created via the initial Setup Assistant* it will get a Secure Token
2) If a device has not issued a Secure Token yet, is bound to AD and the setup assistant suppressed, the first Mobile AD user account to log in via the login window will get a Secure Token
3) If a 'require FileVault' configuration profile is deployed before the first user logs in, this user will gain a Secure Token**
4) If a user is enabled for FileVault in System Preferences by an Admin user who has a Secure Token already, this user will get a Secure Token
5) If the `sysadminctl` command is used on another user by an Admin user who has a Secure Token already, this user in question will get a Secure Token
6) Using the `sysadminctl` command as an Admin user who doesn't have a Secure Token, and no initial Token has been issued, on another user, both this user and the Admin user will get a Secure Token**
* There is also a bug where if this user is not allowed to be an Admin (via the DEP controls) this can fail. The solution is to allow this user to be an Admin, then demote them later in the deployment process.
** macOS 10.14.2 onwards
Checking if a user has a Secure Token
To check if a local user has a Secure Token, run the below command while replacing "[username]" with the username:
/usr/sbin/sysadminctl interactive -secureTokenStatus [username]
Please Note: `interactive` is only required on Apple versions under 10.13.4 .
Best practises
We advise and highly recommend adhering to the below advice:
- If using 1:1 deployments, allow the user to be the first person to log into a newly deployed device (rather than any service account)
- If using 1:1 deployments, allow the user to create an account via the Setup Assistant. Allow this user to be a local admin during this setup (they can be demoted post deployment if required)
- If using an AD user, allow the user to be the first person to log into a newly deployed device (rather than any service account)
- It is strongly discouraged to use FileVault with multiple AD logins on a single device (such as a shared device)
- It is recommended to not use AD logins with FileVault, instead utilising local accounts and tie-in solutions such as NoMAD, Jamf Connect or JumpCloud.
Further information
- Apple - Apple Platform Development
- JumpCloud - Secure Token and FileVault on macOS High Sierra
- Travelling Tech Guy - Mojave 10.14.2 and Secure Tokens, it works!
- Der Flounder - Secure Token and FileVault on Apple File System
Need further support?
Automate. Simplify. Succeed. If you still require assistance with us or have any further questions, please raise a ticket with our support team.
Alternatively, please see our frequently updated knowledge base articles for reference.