FileVault Instructions

All CLASSE-managed Macs

• Are also largely CIT-managed, so often end up with FileVault enabled; if FileVault is not needed (eg, on "research" computers), turn it off.
• Have configuration profile CLASSE-FileVault installed, which escrows personal keys on https://itcornell.jamfcloud.com when FileVault is enabled

---

Enable/Disable FileVault - Admin privileges required

• From the  menu, drag down to System Settings...
• select Privacy & Security from the lefhand pane
• Scroll down to File Vault and click on the *Turn On...*/Turn Off... FileVault... button
• Supply the requested admin credentials
• If there’s an Enable Users button:
  • You must enter a user’s login password before they can unlock the encrypted disk.
  • Click Enable Users, select a user, have the user enter the login password, click OK, then click Continue.
• Close the System Settings window.

---

macOS has three separate user-access screens

1. Login Window - logs in and starts a new user session
   The login window is the screen you see after the system has finished the startup process that prepares the computer for use
2. FileVault Unlock Screen - decrypts the system volume at startup
   A FileVault-enabled Mac starts up from a hidden pre-boot volume (aka the Secure Enclave), which shows an unlock window that looks like the login window with icons for enabled users
   A FileVault-enabled user supplies their credentials to decrypt the encrypted system volume.
   If secure enclave is in sync, system proceeds to login
3. Lock Screen - unlock an existing user session

For more details, see https://support.kandji.io/kb/user-experience-with-macos-login-screens & https://help.swif.ai/en/articles/10536153-filevault-s-effect-on-the-macos-login-window

macOS stores passwords in three places

1. CLASSE account passwords are stored in our classe.cornell.edu Active D*omain (AD)
2. A CLASSE user's password is also locally cached at their initial login
3. When FileVault is enabled, the local password gets stored in the Secure Enclave
   (see also https://www.corbado.com/glossary/secure-enclave)
4. If the three passwords are not identical, see FileVault-enabled Mac Password Synchronization below

FileVault-enabled Mac bootup sequence

1. At powerup, FileVault-enabled Macs boot into the FileVault partition, not macOS - the FileVault Unlock Screen is displayed
2. User-entered credentials are compared with credentials in the Secure Enclave
   On a match, the boot drive is decrypted, and booting into macOS proceeds
3. When the Mac is booted, the Login Window is displayed

---

FileVault-enabled Mac Password Synchronization

Method 1: Change password while logged in This is the standard procedure and is most effective when the user knows their current password and has a synced account. Changing the password while logged into the macOS user session will automatically sync the new password with FileVault. 

1. Log into the Mac using your current AD credentials.
2. Click the Apple menu and select System Settings (or System Preferences on older macOS).
3. Go to Users & Groups.
4. Click the Change Password button. You may first need to click the padlock and enter your credentials to unlock the settings.
5. Enter your old password, then your new password, and re-enter the new password to confirm.
6. Click Change Password to finalize.
7. Restart your Mac to confirm that the new password works at the FileVault pre-boot login screen. 

Method 2: Change password after it's out of sync If the password was changed on a different device or by an administrator, the FileVault and AD passwords can become out of sync. In this case, you will use your old password at the FileVault login screen and your new password once macOS has loaded. 

1. Unlock the disk using your old password: At the FileVault login screen after a reboot, enter your old password.
2. Wait for the desktop: A progress bar will appear, and the standard macOS login screen will load.
3. Log in to macOS with your new password: At the macOS login screen, enter your new password.
4. Lock and unlock the Mac: Immediately lock the Mac (Apple menu > Lock Screen) and then unlock it again using the new password. This often triggers a synchronization.
5. Restart and test: Restart your Mac once more. You should now only need to use the new password at the FileVault pre-boot login screen. 

Method 3: when the password change fails to sync In rare cases, an out-of-sync password may require a manual fix using the Terminal. You will need administrator access for this method. 

1. Open a privileged Terminal from /Applications/Utilities.
2. Make sure a secure token is enabled for the user in question:
   1. Issue the command: sysadminctl -secureTokenStatus username
   2. It should return something like sysadminctl[78357:5379896] Secure token is ENABLED for user username
3. No secure token? Issue the command: sysadminctl -secureTokenOn username -password password
   The end user will need to enter their credentials.
4. Get the target user's UUID
   1. Run the command to identify the user's volume UUID:
 sudo fdesetup list | grep username (Replace username with the affected user's short username.)
   2. The command will return USER,<UUID> - copy the UUID (will look like 27E97FDA-252E-1D28-97E2-E11278DB2D21) returned by the command.
5. Get the volume identifier for the encrypted disk:
   1. Issue the command: diskutil list | grep Data
   2. It should return something like 5: APFS Volume Data 306.4 GB IDENTIFIER (copy the IDENTIFIER - will look like disk3s5)
6. Enter the UUID and the IDENTIFIER into the command: sudo diskutil apfs changePassphrase IDENTIFIER -user UUID
7. The end user will be prompted for the old password, then prompted twice for the new password. This will resync FileVault with the AD password.
8. Reboot to make sure that the end user doesn't have to enter 2 passwords to get logged in.

Deprecated Instructions