Creating standard user account with FV 2 enabled macOS devices. 

expand collapsive

Is it possible to remotely create a local user account on Mac with filevault enabled? This newly created account should show up on the login screen when the Mac is turned on, which it isn’t now.

All Replies

  • Whether or not a user account can unlock a FV encrypted disk depends on the means by which you created the account in the first place. In case you don’t already know, a user account should have a secure token enabled to be able to unlock the FV encrypted disk. If I’m not wrong, a secure token will automatically be generated for an account created via the system preferences in the GUI. But that’s not the case when creating user accounts from the command line, in which case you can include the command for associating a secure token along with the script for creating the user account.

    Run the below command to associate a secure token with your user account so that it’ll be added to the FV2 enabled accounts list:

    sudo sysadminctl -adminUser <your_admin_account> -adminPassword <admin_account_password> -secureTokenOn <standard_user_account> -password <standard_useraccount_password>

  • Hexnode

    Chris Wheeler

    Moderator

    Hey there, @Schyler. Thanks for reaching out on Hexnode Connect!

    As @Bram pointed out, only user accounts with Secure Token enabled can unlock a FileVault-enabled Mac. Therefore, make sure to manually grant a secure token to user accounts that do not have a secure token enabled. With Hexnode UEM, you can remotely create user accounts on your enrolled Macs using the Create User Account action. While executing the action, select the Grant Secure Token option to enable a secure token for the new user account automatically. Moreover, you can also Grant Secure Token for existing user accounts that don’t yet have secure token enabled. In both the cases of enabling secure token, you’d need to enter the credentials of an Admin user for which secure token has already been enabled.

    Note that secure token can be enabled only on macOS devices running macOS 10.13 or later.

    Hope this helps. Do reach out if you’ve any further queries.

    Cheers!
    Chris Wheeler
    Hexnode UEM