Category Filter

How to fix issues with enabling FileVault on Mac

FileVault is a complete disk encryption program on macOS 10.3 or higher versions for securing the data. Hexnode UEM provides an effective mechanism to associate policies from the MDM console to enable FileVault on the devices. However, in some instances, the users might face problems turning it on. This documentation assists the users in fixing issues associated with enabling FileVault.

Problems while enabling FileVault:

After associating the FileVault policy, the device might fail to enable FileVault due to various reasons. Sometimes an error message is displayed stating the reason for failure as the device is restarted or during the next user login.

Common errors

  1. “An unexpected master password keychain was found.”

    Description: When FileVault encryption is enabled with the help of a Personal Recovery key, sometimes it generates this error message as the user restarts or logs out of the device to turn on FileVault.

    Solution: The error can be rectified by removing the master password keychain file FileVaultMaster.keychain found in the path /Library/Keychains. Further restarting the device helps to resolve the issue.

Other issues and methods to resolve them

  1. The given user account that enables FileVault requires a security token to be enabled.

    Solution: Add a valid secure token to the user account

    On devices running macOS 10.13 and higher, the user (mobile account or user account) needs to have a secure token to activate FileVault. Active Directory users (mobile user accounts) do not have a secure token enabled on them automatically. On the contrary, the server token is enabled on local accounts when such accounts are created. Hence, in the case of an Active Directory user, he/she might experience issues with enabling FileVault. Follow the steps to add a server token to a local user account:

    1. Log in to the given user account.
    2. Open Terminal.
    3. Execute the following command:
      sysadminctl interactive -adminUser [admin_username] -adminPassword [adminpassword] -secureTokenOn [username_that_needs_token] -password [userspassword]
    4. Log out from the Mac. Log in once again to the given account for the command to take effect.
  2. Disk problems associated with formatting or directory structure of the device.

    Solution: Use Disk Utility to repair the formatting information.

    If the users find difficulty in enabling the FileVault even when the policy is applied on the devices, you can go for repairing the formatting information on the storage devices. You can make use of the Disk Utility app to repair the disk’s formatting information.

    1. Open the Disk Utility app on the device that faces the issue.
    2. Select the volume/container on the storage device.
    3. Click on First Aid.
      Troubleshooting FileVault
    4. The device prompts you to confirm the repairing process. Click on the Run button.
    5. The First Aid checks the given volume/container for errors and repairs it if any corruptions are found. You have to repeat the procedure separately on each volume/container to check them.
  3. The device is outdated.

    Solution: Update the device

    The error might be because of a software bug. The best way to recover the software bugs is to update the software by navigating to System Preferences > Software Update.
    Troubleshoot FileVault – Software Update