When you try to manually enable FileVault with a mobile account, you will get following error message:
Authentication server refused operation because the current credentials are not authorized for the requested operation.
This issue only occurs when the storage device is in APFS format.
For more information about the error, refer to the Apple Support article: If you see authentication server errors when turning FileVault on in macOS High Sierra
To add a secure token for a specific account, the user must first have a local admin (with secure token) credentials.
Prerequisites:
- The logon credentials for the local admin and domain user.
- The domain user must have a mobile account.
-
The specific user account is set with “full name” in Users&Groups pane (Note: We will enhance this in TMEE 6.0 L10n.)
Do any of the following methods:
Method 1
-
Check if the specific user account has secure token and make sure it is disabled.
$sysadminctl -adminUser "$GUIAdmin" -adminPassword "$GUIAdminPw" -secureTokenStatus "$username" -password "$user_password"
The $GUIAdmin is usually is local admin which has the secure token by default.
-
Add secure token for specific user account
-
Check if the local admin account has secure token and make sure it is enabled:
$sysadminctl -adminUser "$GUIAdmin" -adminPassword "$GUIAdminPw" -secureTokenStatus "$username" -password "$user_password"
-
Log on to Mac as the local admin and execute following command:
$sysadminctl -adminUser "$GUIAdmin" -adminPassword "$GUIAdminPw" -secureTokenOn "$username" -password "$user_password"
-
-
Verify that the specific account has asecure token and that it is enabled.
$sudo sysadminctl -secureTokenStatus "$username"
- Reboot the machine.
- Use SecureTokencmd to enable a secured token.
- Endpoint Encryption 6.0 L10n includes the SecureTokencmd tool.
Method 2
- Copy the tool to the Mac where the domain user is logged in.
-
Check the status of the secure token for a specific user:
$sudo ./SecureTokencmd Status
-
Find out the local admin account has secure token and make sure it Is enabled:
$sudo ./SecureTokencmd Status
- Log on to Mac as the local admin.
-
Turn on the secure token for specified user where the secure token is disabled then provide the specific user account and corresponding credentials for the local admin.
$sudo ./SecureTokencmd enable
-
Verify the status of the secure token using the command in step 1.
Click image to enlarge
- Reboot the machine.
Method 3
- Install Encryption Management for Apple FileVault 6.0.0.1035 or later version.
- Log on as a local admin and sync the policies (The local admin must have a ‘secure token’).
- Input the password to start encryption.
- Go to System Preferences > Security & Privacy > FileVault.
- Unlock to make the changes.
- Click Enable Users.
- Enable the domain user to unlock the disk.
