Hi @remy-parker,
On FileVault-enabled Macs, a Secure Token is required for accounts that need to authenticate at the FileVault pre-boot screen or authorize password-related administrative actions.
Hexnode Basic LAPS can create and manage a local admin account, but macOS does not automatically make that account Secure Token-enabled in every scenario. If the LAPS admin account shows Secure Token as “Not Granted”, remote Change Password actions may fail or remain pending because the admin account is not authorized to perform the reset on a FileVault-protected Mac.
Recommended checks:
- Go to the device in Hexnode and check Local Accounts to confirm whether the LAPS admin has a Secure Token.
- If the Mac can still be accessed locally, log in to the Mac once using the LAPS admin account.
- Open the Hexnode app on the Mac and perform a sync.
- From the Hexnode portal, run Actions > Sync local accounts.
- Recheck the Local Accounts section to see whether the Secure Token status has changed.
If the account still does not receive a Secure Token, Hexnode cannot force macOS to grant it remotely. In that case, access must be restored using an existing FileVault-authorized user account or the FileVault Recovery Key.
For future deployments, make sure FileVault recovery keys are escrowed to Hexnode and verify that the LAPS admin account is Secure Token-enabled before relying on it for FileVault-related password recovery.
Regards,
Sienna Carter
Hexnode UEM