Users created via cli tools do not receive SecureToken
| Originator: | chilcote | ||
| Number: | rdar://34874069 | Date Originated: | 07-Oct-2017 06:20 PM |
| Status: | Open | Resolved: | |
| Product: | macOS + SDK | Product Version: | macOS 10.3 (17A405) |
| Classification: | Security | Reproducible: | Always |
Summary: When automating the creation of an account, either via sysadminctl or createmobileaccount, the resulting account does not contain a SecureToken and therefore cannot enable FileVault. Steps to Reproduce: 1. Log in as a user which contains SecureToken (i.e user with uid 501 created during setup assistant) 2. Optional, but instructive: Bind the Mac to an Active Directory domain via System Preferences > Users > Login Options 3. Create a user via one of these methods (whether bound or not): a. sudo sysadminctl -addUser createdviacli -password foo -admin b. sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n <domainusername> c. (Simply log out and log in with a domain account, which caches the account. 4. Log in as the newly created user and attempt to enable FileVault. Expected Results: $ sudo sysadminctl -secureTokenStatus createdviacli 2017-10-07 17:51:56.505 sysadminctl[674:9389] Secure token is ENABLED for user createdviacli bash-3.2$ sudo fdesetup enable Password: Enter the user name:createdviacli Enter the password for user 'createdviacli': Recovery key = 'recovery key displayed here' Actual Results: $ sudo sysadminctl -secureTokenStatus createdviacli 2017-10-07 17:51:56.505 sysadminctl[672:9236] Secure token is DISABLED for user createdviacli bash-3.2$ sudo fdesetup enable Password: Enter the user name:createdviacli Enter the password for user 'createdviacli': Error: A problem occurred while trying to enable FileVault. (-69594) Version: macOS 10.3 (17A405) Notes: For IT shops who deploy macs in a managed environment, and either script the creation of the user or bind those macs to Active Directory, this removes the ability to automate FileVault enablement for the given user. Before you suggest a workaround to run `sysadminctl -adminUser <admin user> -adminPassword <plaintext password> -secureTokenOn createdviacli -password -`, please note that this is not a solution that will be taken seriously. No self respecting admin would ever pass a plaintext password in that manner. Enabling FileVault via System Preferences also fails for users without SecureToken (e.g. any user created via cli). See attached screenshot.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!