Misadventures With SecureToken

FileVault, APFS and SecureToken.

January 17, 2018 - 2 minute read -

macOS High Sierra introduced SecureToken, which is now required before a user can be enabled to unlock a FileVault encrypted APFS volume. SecureToken is enabled automatically for users created via Setup Assistant or by a SecureToken enabled administrator using the Users & Groups System Preferences pane.

Active Directory mobile accounts and users created via the command line do not get SecureToken enabled automatically, but instead must be enabled after-the-fact by a SecureToken enabled administrator using the following command.

sysadminctl -adminUser <admin user name> -adminPassword <admin password> -secureTokenOn <user name> -password <password>

Naturally, this change poses a number of challenges for administrators who have highly automated deployment workflows. For example, should your only administrator account be created using a bash script, SecureToken will not be enabled and you will not have the ability to enable it for other users.

I’ve opened an AppleCare Enterprise Support case for this particular issue, but it’s not clear whether Apple Engineering will address it. For others whom feel they too will be affected by this change, I’d encourage you to reach out to Apple as well.


While this is not intended behavior, there is one exception to Active Directory mobile accounts not getting SecureToken enabled automatically.

Active Directory mobile account can get SecureToken enabled automatically, but only when used to enable FileVault and no other user account on the system has SecureToken enabled already.

Upgrading From macOS Sierra

Apple has confirmed that only existing FileVault enabled users will receive SecureToken when upgrading to macOS High Sierra. To avoid a scenario where you are unable to enable SecureToken for other users, be sure that at least one administrator account is a FileVault enabled user before proceeding.

DEP PreStage Enrollments

Beginning with 10.13.2, the additional local administrator account created during DEP PreStage Enrollments will get SecureToken, so long as it’s not hidden.