macOS FileVault password reset fails because LAPS admin has no Secure TokenSolved

Participant
Discussion
2 weeks ago Jun 30, 2026

After updating a macOS password policy, one managed Mac user got locked out. The account was unlocked, but the old password initially was not accepted and the user could not reset it.

The Mac has FileVault enabled. We have Hexnode Basic LAPS configured, but the local LAPS admin account shows Secure Token as “Not Granted” under Local Accounts. There is no other local admin account with a Secure Token.

When trying to use the remote Change Password action, I am not sure which admin credentials will work because the LAPS admin does not seem to be FileVault-authorized. What is the correct way to handle this?

Replies (1)

Marked SolutionPending Review
Hexnode Expert
2 weeks ago Jun 30, 2026
Marked SolutionPending Review

Hi @remy-parker,

On FileVault-enabled Macs, a Secure Token is required for accounts that need to authenticate at the FileVault pre-boot screen or authorize password-related administrative actions.

Hexnode Basic LAPS can create and manage a local admin account, but macOS does not automatically make that account Secure Token-enabled in every scenario. If the LAPS admin account shows Secure Token as “Not Granted”, remote Change Password actions may fail or remain pending because the admin account is not authorized to perform the reset on a FileVault-protected Mac.

Recommended checks:

  1. Go to the device in Hexnode and check Local Accounts to confirm whether the LAPS admin has a Secure Token.
  2. If the Mac can still be accessed locally, log in to the Mac once using the LAPS admin account.
  3. Open the Hexnode app on the Mac and perform a sync.
  4. From the Hexnode portal, run Actions > Sync local accounts.
  5. Recheck the Local Accounts section to see whether the Secure Token status has changed.

If the account still does not receive a Secure Token, Hexnode cannot force macOS to grant it remotely. In that case, access must be restored using an existing FileVault-authorized user account or the FileVault Recovery Key.

For future deployments, make sure FileVault recovery keys are escrowed to Hexnode and verify that the LAPS admin account is Secure Token-enabled before relying on it for FileVault-related password recovery.

Regards,
Sienna Carter
Hexnode UEM

Save