How to fix issues with enabling FileVault on Mac
FileVault is a complete disk encryption program on macOS 10.3 or higher versions for securing the data. Hexnode UEM provides an effective mechanism to associate policies from the MDM console to enable FileVault on the devices. However, in some instances, the users might face problems turning it on. This documentation assists the users in fixing issues associated with enabling FileVault.
Problems while enabling FileVault:
After associating the FileVault policy, the device might fail to enable FileVault due to various reasons. Sometimes an error message is displayed stating the reason for failure as the device is restarted or during the next user login.
- “An unexpected master password keychain was found.”
Description: When FileVault encryption is enabled with the help of a Personal Recovery key, sometimes it generates this error message as the user restarts or logs out of the device to turn on FileVault.
Solution: The error can be rectified by removing the master password keychain file FileVaultMaster.keychain found in the path /Library/Keychains. Further restarting the device helps to resolve the issue.
Other issues and methods to resolve them
- The given user account that enables FileVault requires a security token to be enabled.
Solution: Add a valid secure token to the user account
On devices running macOS 10.13 and higher, the user (mobile account or user account) needs to have a secure token to activate FileVault. Active Directory users (mobile user accounts) do not have a secure token enabled on them automatically. On the contrary, the server token is enabled on local accounts when such accounts are created. Hence, in the case of an Active Directory user, he/she might experience issues with enabling FileVault. Follow the steps to add a server token to a local user account:
- Log in to the given user account.
- Open Terminal.
- Execute the following command:
Script to add a valid security tokenShell1sysadminctl interactive -adminUser [admin_username] -adminPassword [adminpassword] -secureTokenOn [username_that_needs_token] -password [userspassword]
- Log out from the Mac. Log in once again to the given account for the command to take effect.
- Disk problems associated with formatting or directory structure of the device.
Solution: Use Disk Utility to repair the formatting information.
If the users find difficulty in enabling the FileVault even when the policy is applied on the devices, you can go for repairing the formatting information on the storage devices. You can make use of the Disk Utility app to repair the disk’s formatting information.
- Open the Disk Utility app on the device that faces the issue.
- Select the volume/container on the storage device.
- Click on First Aid.
- The device prompts you to confirm the repairing process. Click on the Run button.
- The First Aid checks the given volume/container for errors and repairs it if any corruptions are found. You have to repeat the procedure separately on each volume/container to check them.
The device is outdated.
Solution: Update the device
FileVault decryption on an already encrypted Mac
Once the FileVault policy is associated, you can retrieve the personal recovery key of a device that gets automatically escrowed to the Hexnode UEM console. The Decrypt button displayed under Device Summary > Device Info > Security Info > FileVault Recovery Key helps to recover the personal recovery key that you can use to decrypt the macOS disk.
But, the decryption key cannot be retrieved from the portal if:
- The device is re-enrolled as a new device that had the FileVault policy already enabled or,
- The device is encrypted before enrollment or before a FileVault policy is associated.
In such cases, you can either set up a new personal recovery key from the Terminal or associate a new FileVault policy with the Escrow Personal Recovery Key option checked.
Here’s how you can set up a new personal recovery from the device terminal:
- Open the Terminal on the Mac.
- Run the following command:
Script to set new personal recovery keyShell1sudo fdesetup changerecovery -personal
- A new recovery key will be displayed in Terminal.
- Open the Hexnode UEM agent app on the device.
- Click on the Sync button.
- Log in to the Hexnode portal.
- Execute the
Scan Device action on the device.
- The option to decrypt the FileVault recovery key will be displayed under Security Info.
- Select the option ‘Decrypt FileVault Recovery Key’.
- Choose the method of encryption used.
- Click Decrypt.
The FileVault recovery key will be displayed next to the FileVault option under the Security Info of the device on the Hexnode portal. Alternatively, you can verify the FileVault recovery key info and the device’s encryption status using the Reports tab. Navigate to Reports > Enrolled Devices and search for the device. The FileVault Personal Recovery key column displays either the personal recovery key or any of the following statuses:
- Failed: It is shown when the recovery key is not fetched despite enabling the Escrow Personal Recovery Key option on the FileVault policy associated with the device.
- N/A: It indicates that either FileVault had been already enabled on the device or the Escrow Personal Recovery Key option was disabled on the FileVault policy associated with the device.