Category: Local Accounts

Mojave 10.14.4+ will now sync your AD password to FileVault if forgotten

If you use Active Directory Mobile Accounts with FileVault, password sync problems will be very familiar to you. I have good news, MacOS Mojave 10.14.4-10.14.6 can now sync AD Mobile Account password changes to FileVault when you don’t know the AD password. Apple added this new feature to macOS 10.14.4 for Mobile Accounts. In previous releases, you needed the old password to sync the password down to FileVault. Local Accounts has had this ability for years. Rich Trouton put together a great article on Resetting and Syncing FV2 Local account passwords. He mentions the methods are only for Local Accounts, NOT Mobile Accounts.

You forgot your AD password on 10.13.0-10.14.3

Users who fall into this situation are in a pinch and options to get the system to sync the new password to FileVault are limited. You could boot the system up using the PRK (Personal Recovery Key) and then have the Help Desk reset the AD password. This would get you into the system but your FV2 password would never sync. You will be forced to continue to unlock the Mac with the PRK (Personal Recovery Key), then login with the new AD password.

The only way to fix this was to have a SecureToken Admin on the system.

Do you have an admin support account that is FileVault/SecureToken enabled? Listed below are two methods to fix out of sync passwords.

1. fdesetup remove / re-add user

sudo fdesetup remove user userwhoforgotpass.

Then re-add the user by running

sudo fdesetup add user localadminuser -usertoadd userwhoforgotpass

What this would do is remove the user from the enabled FileVault user list, then add them back. The sync would happen when you are prompted for the new password when re-enabling the account for FileVault unlock.

2. Sysadminctl -secureTokenOff/On

You can also use sysadminctl. Start by turning off SecureToken and then turn it back on.

sysadminctl -secureTokenOff userwhoforgotpass -password – -adminUser localadmin -adminPassword –

Now turn SecureToken back on.

sysadminctl -secureTokenOn userwhoforgotpass -password – -adminUser localadmin -adminPassword –

The process of turning off SecureToken and then turning it back on will sync the password. Also note that you don’t have to run sysadminctl with sudo.

Problem is, some companies don’t want a FileVault enabled admin account on the system.

NOTE: diskutil apfs updatePreboot / – Does NOT sync the password!

Running diskutil apfs updatePreboot / does NOT sync the password from the OS to FileVault. If this worked in the past, it was only a coincidence. If you changed your AD password outside the Mac, password syncing to FileVault would sometimes take 2-3 restarts. This command is only really needed when you wanted to add a new FileVault user to the system. Running this command would then add the new user to the FileVault pre-boot window. You only had to run this command in 10.13. This was actually a bug and was fixed in 10.14. The new account will now automatically show up at the FV2 pre-boot window after creation.

Enter the 10.14.4 update.

I can’t file this under my previous article 3 undocumented macOS Mojave 10.14.4 Enterprise fixes. This fix was actually documented in the Enterprise Content article for 10.14.4. The problem is the wording is a little confusing, but does kind of make sense.

Reading the third line, it does seem to match our situation. If you forgot your AD password, you would have to continually unlock the Mac with the PRK. You would be forced to do this each time you turned on your Mac or restarted. Notice the wording, it does not say “Fixes”.

How to reset your AD mobile account password and have it sync to FileVault, when you don’t know the previous password.

You need to meet all of the following pre requisites.

  1. macOS Mojave 10.14.4 or newer.
  2. Active connection to Active Directory.
  3. Access to the PRK (Personal Recovery Key)
  4. You have the ability to change your password outside the Mac (2nd Mac, Windows PC, or Web Portal). Or the Help Desk can reset and issue you a temporary password which you can then use to set a new password at the loginwindow.
  5. FileVault Automatic Login enabled

Step 1. Boot Mac with the Personal Recovery Key.

Since you don’t know the previous password you can’t even get past the FileVault Unlock Screen. You will need access to the PRK. Click the user who needs their password reset. In the password line, you will now see a ? button. Click on it, you can now type in the Personal Recovery Key. Try this neat trick to get the Macs serial number. Click the ? a second time.

Pretty neat trick so users can tell the Help Desk the Macs serial number. (Key Escrow or MDM required).

After booting the system with the Personal Recovery Key the process will stop at the login window. On 10.13.0-10.14.3 systems you are prompted to reset the password at the login window.

Mobile Account Password reset pop-up for 10.13.0-10.14.3 systems after booting with the PRK.

This feature is for Local Accounts Only. To change your AD Mobile Account password from the Mac you must give Active Directory the OLD password. You can only do this with System Preferences > Users & Groups > “Change Password” or dscl. As you can see above the interface does not have a box for Old Password.

10.14.4 will now show a new pop up for Mobile Accounts after booting with the PRK.

This is the new 10.14.4 Mobile Account password reset message, but you still can’t reset the AD password here.

The Mac now realizes that you are trying to reset a Mobile Account Password. You will no longer see the Reset Password pop up. This is because AD requires that you enter in the OLD password. Since you don’t know it, you will not be able to reset your password. This is why macOS will not show you the password reset window anymore for mobile accounts. If you use the PRK from a Local Account you will get password reset window with password fields like you would normally expect.

Step 2. Reset the AD Password.

As noted above you for this to work you can reset your AD password one of two ways.

  1. Call the Help Desk and have them reset the password and then issue you a temporary password.
  2. Reset the password on a 2nd Mac, Windows PC, Web Portal etc.

Either way will work for the password change system to work.

If you called the Help Desk and had them reset your AD Password they can now give you a temporary password. Your account will be flagged “Password must be changed on next login“. Enter in your username and then type in the temporary password. Hit enter and you will now get a new pop up window.

Enter in your new password. Click Reset Password when ready. You will be greeted with the login keychain message. You will receive this message anytime you change the password outside the Mac. Click “Create New Keychain” and the Mac will continue to login.

Step 3. Restart to complete the FileVault sync.

You will need to restart at least one more time to complete the sync process.

On this next restart you will need to enter in the PRK ONE MORE TIME.

NOTE: I am still trying to figure out if having to use the PRK twice is a bug or not. I think it is because you don’t have to do this extra step with local accounts.

After you perform one last PRK boot, enter in the username and new password and you will be at the desktop once again. The process is now complete, you can restart to confirm. Use your new AD password to unlock the volume and the system will now auto boot you to the desktop.

Conclusion

This is my 3rd article on password fixes/improvements/problems in 10.14.4

macOS Mojave 10.14.4 update fixes AD Mobile Account/FileVault password change sync issue.

10.14.4 Update breaks local account password reset when using FileVault Recovery Key

MacAdmins who use Active Directory Mobile Accounts want a working password change system that functions seamlessly with FileVault. Now that we have a working native AD Plugin, will this stop the mass exodus to Local Accounts? Only time will tell.

10.14.4 Update breaks local account password reset when using FileVault Recovery Key

Mr. Macintosh - 10.14.4 Update breaks local account password reset when using FileVault Recovery Key.
10.14.4 Update breaks local account password reset when using FileVault Recovery Key.

UPDATE: 05/16/19 – 10.14.5 Update fixes this issue

10.14.5 fixes this issue
The macOS 10.14.5 update fixes this issue.

As noted above this issue is now fixed in macOS 10.14.5. You can read on if you are interested in how this all went down.

I have been testing the new password fixes/changes in macOS Mojave 10.14.4. You can see the changes in the “What’s new in the updates for macOS Mojave” support document. What I found was, the 10.14.4 Update breaks local account password reset when using the FileVault Recovery Key.

Mr. Macintosh - Enterprise Content section from the what's new in 10.14.4 update document.
Enterprise Content section from the what’s new in 10.14.4 update document.

I wrote about how Apple fixed mobile password syncing issues on how 10.14.4 fixes Mobile Account Password syncing issues in 10.14.0-10.14.3. This was a huge win for Active Directory Users. We finally have a functioning password change system in place. I found this problem while testing these new fixes. Instructions for this procedure are listed in this Apple Support Document.

Let’s confirm this on 10.14.3 and 10.14.4

I setup a fresh 10.14.4 (18E226) system, created a local account and then enabled FileVault. I then performed the following test.

  1. Boot system – Select user
  2. Click the ? Button so I can enter the recovery key.
  3. The system will now boot to the login window
  4. You will see the username filled in with your username with the password reset window.
  5. Type in a brand new password and then hit “Reset Password”
  6. The window thinks for a second then shakes you off.
  7. The password is not changed.
Mr. Macintosh - Reset password window after entering in the recovery key.
Reset password window after entering in the recovery key.

Performing the same test on 10.14.3 (18D109) worked as designed. After clicking “Reset Password” the system accepts the new password then logs you in.

Workaround: resetpassword in Recovery

Good thing is, the resetpassword application in the recovery partition still works.

Mr. Macintosh - Trusty ole resetpassword still works.
Trusty ole resetpassword still works.

1st way to reset your password. Boot to Recovery

Boot your Mac holding Command R to boot the Mac into the Recovery Partition. Once in click Utilities from the Menu Bar then select Terminal. Once in type in resetpassword, then follow the instructions.

Note: If you have a T2 Mac, this option requires that you have a SecureToken Admin on the system to access the Terminal.app.

2nd way to reset your password, the FV2 Screen.

You can trigger the 2nd way at the FV2 login window.

  1. Wait up to a minute at the login screen, until you see a message saying that you can use the power button on your Mac to shut down and start up again in Recovery OS. If you don’t see this message, FileVault isn’t on.
  2. Press and hold the power button until your Mac turns off.
  3. Press the power button again to turn on your Mac.
  4. When the Reset Password window appears, follow the onscreen instructions to create a new password.

If you would like to follow Apple’s instructions on how to reset local account passwords you can visit this Apple Support Article.

“Radar or it didn’t happen”

This was a really great quote from Jason Broccardo @zoocoup. Filing bugs and tickets is a really important task for MacAdmins. Apple rates issues by the number of reports/tickets they get for each issue. If this feature is important to you please do the following.

File this issue as a bug to bugreport.apple.com

Then open up an Open Radar on openradar.appspot.com. This will help with tracking and you can let others know about the issue. (This site is not affiliated with Apple Inc.)

File an Apple Care Enterprise ticket if you have an account. https://www.apple.com/support/enterprise/

You can also dupe the radar that I submitted. https://openradar.appspot.com/50005199

Mastodon