Secure Token and FileVault on macOS High Sierra

With the release of macOS^® High Sierra, Apple^® introduced a new attribute for users called a Secure Token. While the purpose of this attribute wasn’t initially clear due to Apple’s limited documentation, it has now become clear that the Secure Token attribute is required for users to interact with FileVault^® (Enabling, disabling, and managing a user’s ability to decrypt an encrypted volume).

The Secure Token attribute is generated and provided to the first account created on a new High Sierra or later Mac^® system. Further, once this primary account has its Secure Token attribute applied, it can then create other accounts and apply this Secure Token attribute value to them. This process ensures a “chain-of-trust” amongst local users who can securely be enabled for FileVault. One interesting observation to note here is that user profiles in Sierra are each given a valid Secure Token once the Mac is upgraded to High Sierra.

With this newly-introduced Secure Token attribute and “chain-of-trust”, Active Directory^® mobile accounts and user accounts created using command-line tools are not given a Secure Token upon account creation. Without the Secure Token attribute, these accounts are not able to enable, disable, or manage a user’s ability to decrypt an encrypted FileVault volume.

Checking the Secure Token

While these accounts do not have a valid Secure Token initially, the sysadminctl utility may be used to grant a Secure Token to these newly created users. If you are unsure of whether a user has a valid Secure Token you may easily check by running:

“sysadminctl interactive -secureTokenStatus USERNAME”.

Note: `interactive` is only required on Apple versions under 10.13.4 .

With the background information about Secure Token known above, JumpCloud^® has solved this which previously required admin intervention on a host-by-host basis, by now automating the process of applying a Secure Token value for users on macOS. We are able to do this through new operations we’ve included in our latest macOS system agent. You may find a complete walk through of these new agent updates here on our knowledge base, but in short, we have included new functionality which enables our agent to receive its user-creation commands from our cloud-based directory service, while locally appending a new user account with the critical Secure Token value macOS required for FileVault. One of the main benefits of our approach here is that this will now allow a High Sierra Mac user to simply log into their new Mac host one time, and be automatically enabled into their FileVault encrypted volume. Further, user accounts on High Sierra without a valid Secure Token value will have the attribute correctly updated with a ‘good’ value.  

More Information

Please refer to our Knowledge Base on how to access and upgrade your macOS system agents to the latest version and benefit from this new set of updates. And as always, you may feel free to ask questions of our Customer Success team on the new agent behavior and operation.