10.14.4 update fixes AD Mobile Account/FileVault password change sync

Before we get started I’m am going to talk a little bit about how macOS and Active Directory work together. I will also go into some history behind the built-in AD Connector. In the end, I will explain the current problems we are having with Active Directory Mobile Account password syncing and how Apple fixed the issue.

If your company or school uses Active Directory, you most likely use Mobile Accounts. To get Mobile Accounts to work you first have to bind the Mac to Active Directory, once bound the Mac is now trusted. You can now log in with any Active Directory user and access to Global Groups, Kerberos and Directory Contacts.

Sounds great right? It was!

Once you log in, the system caches your AD account to the local directory. If you then disconnect the Mac from the network you can still log and continue to work. When the time comes to change your AD password you could change it on a 2nd Mac, a Windows device or even a Web Portal.

How did the AD password change work?

If you changed your password on the Mac it would first check if any password requirements are set at the domain level. If you passed the requirements the password would be immediately changed in Active Directory. The password would then change at the local offline level of your Mac. If you changed your password outside the Mac (Web Portal etc..) the system would receive the password change the next time you connected the Mac to the network and logged in. You would then be promoted to Update or create a new Login Keychain.

Active Directory & FileVault 2

The AD password change system changed in 10.7 with the addition of FileVault 2. Now when you changed your password an extra step had to be performed. Once the password was changed in AD it would then change the locally cached password and then had to sync that password down to your FV2 account. When you turned on your Mac, you could then use the same password as your AD account to unlock the volume and start booting the system. The AD password sync system worked pretty well from 10.7 all the way up to 10.12 Sierra. Users would sometimes have issues here and there when the Mac dropped off the domain but usually a rebind and would save the day.

10.13, APFS and SecureToken

Apple introduced the next-generation file system called APFS (Apple File System). We first got to test it out in 10.12 Sierra in beta form. APFS was standard for all SSD drive installations on 10.13 High Sierra installs. You could still opt out with commands and spinning hard drives would still use HFS. When 10.14 arrived APFS was standard across all hard drives. The introduction of APFS brought an added undocumented security feature called SecureToken. If you wanted to enable FileVault 2 you had to have SecureToken enabled for said account. You could no longer you use the PRK (Personal Recovery Key) or even a local admin to add extra users to unlock the volume like you could with HFS. You have to grant the 2nd user a SecureToken before they could become an authorized CryptoUser. To get the token in the first place you had to be the first user logging into macOS at the SetupAssistant.

10.13 was the start of syncing issues for Mobile Accounts.

The main problem with this new system was that the SecureToken system was not tested. Mobile account users, in particular, had nothing but problems with this new system. From 10.13.0-10.13.3 AD Mobile Account password syncing to FV2 flat out did not work. During this time frame we had multiple high priority tickets in with Apple Enterprise Support. When 10.13.4 hit Apple finally fixed the issue and password syncing started to somewhat work again. I say somewhat because everyone still reported issues but at least it worked SOME of the time now. 10.13 still had problems when you changed the password off the Mac.

Enough of the history lesson, get to the 10.14 problem!

Once 10.14 hit we were hoping that the problems we had on 10.13 Mobile Accounts would fixed. Unfortunately, we were wrong, way wrong. The problem worse when 10.14.0 released. How could it be worse than 10.13 and how did miss the problem in 10.14 beta? On 10.13 as I mentioned above we had to deal with of Mobile Account syncing of FV2 passwords. The user would change the password outside the system and it would not make it down to FV2. The good thing is we actually have fix for this!

The following instructions will change or Sync the password for the CryptoUser account that belongs to the AD user. This will only work if the user KNOWS the old password since the command will prompt for the current password.

• 1. diskutil apfs list (Grab the disk label for Volume Macintosh HD usually disk1s1)
• 2. sudo fdesetup list -extended (grab the UUID of the OS USER) You can also use diskutil apfs listCryptoUsers /
• 3. diskutil apfs changePassphrase disk1s1 -user UUIDhere (add in the UUID of the OS USER from the pevious command and put it in UUIDHere.

That’s cool, but you still haven’t told us why is the situation worse in 10.14?

The local cached offline password is never changed!

The problem is the issue is undetectable UNTIL the user attempts to authenticate OFF the network. When they try the current password it will NOT work. They will then have to call the helpdesk, who then changes the AD password making the situation even worse. This is the situation for 10.14.3 and below.

• When connected to the network = Current AD Password works!
• When Disconnected from the network = ONLY previous password works.
• FV2 password = Previous Password.

Things get even more annoying is if the user actually uses the old password to authentiate the Screen Saver while offline. The system will accept the password but then immediately prompt the user to unlock the Login Keychain. This is due to the keychain being set to the current AD password. You would be in a never-ending keychain password cycle.

Do you have a fix for the offline sync issue?

The good news is we do, as long as you have a SecureToken enabled Admin user. All you need to do is turn off SecureToken and then turn it back on. Something in this system will then sync the offline cached password. Shout out to @annemacro on MacAdmins Slack for figuring this out!

• sudo sysadminctl -secureTokenOff useraccount -password – -adminUser adminuseraccount -adminPassword –
• sudo sysadminctl -secureTokenOn useraccount -password – -adminUser adminuseraccount -adminPassword –

Now that 10.14.4 is out the password sync mechanism now working. As long as you update systems to 10.14.4 before users change their AD password they will not have this issue going forward. I have not had the chance to actually test the 10.14.4 update on a system that is already out of sync. The good news is that even if it doesn’t fix the issue when it is already happening you now have the tools to fix it yourself. The next time the user changes their password they will not experience the issue.

Why did this take so long to fix?

The answer to this question is pretty simple. Everyone missed the bug from beta 1 all the way through into 10.14.0. I performed hours and hours of testing in beta. I was so concerned about that the FV2 password did not sync that I did not even think to test the offline password. Even worse, neither did anyone else including Apple. It was not until around 10.14.2 when I had an enterprise ticket in with Apple and finally got a response.

“This bug will not be fixed until the next release of macOS”

When I read the reply to this support ticket I was in complete shock. Are you going to tell me that we are going to flat out have a NON FUNCTIONING MOBILE ACCOUNT SYSTEM FOR THE ENTIRE 10.14 RELEASE? I could not believe it. The Apple Enterprise Support Engineer I was working with also agreed and he was fantastic to work with and helped work through the issue with me. At this point what else would a #MacAdmin do but RANT in MacAdmins Slack!!! The best way to do this is to document and explain the issue to others. You can then rally other MacAdmins to file Enterprise tickets or Radars. This will draw attention to the issue and generate heat inside Apple Enterprise Support. In the end that’s exactly what happened. We were not the only company that Used Mobile accounts. Those same companies let Apple know that we needed a fix ASAP. Apple realized this was important and fixed this issue for us in 10.14.4. (Thank you Apple!)

Where does that leave Mobile Accounts?

Before 10.13 Mobile Accounts worked very well. We had thousands of Macs connected to AD utilizing Mobile accounts and did not have any issues. Once 10.13 hit things started to go downhill. The problem is, it seems like Apple is not spending enough time on Mobile Accounts. The MacAdmins community has started to realize this and starting at the end of 2017 and into 2018. This began what I call “The great Mobile Account exodus to Local Accounts”. NoMAD and Enterprise Connect make using local accounts while still having the ability to use AD resources easy. Mobile Accounts still serves it’s purpose but it seems the writing is on the wall.

Thanks

If you stuck around to read the entire article I really do appreciate it. If you are at WWDC 2019 or JNUC 2019 I will buy you a beer or non-alcoholic beverage. Just mention coupon code #ISURVIVEDMOBILEACCOUNS.

I hope to write many more articles like this in the future. Over the past 15 years MacAdmins have helped me get to where I am today. I hope I can give back to the community and help the next generation of MacAdmins rise through the ranks! Drop me a note at com gmail mrmacintoshblog