1765

  • Updated on Feb 6, 2026
  • 1 minute(s) read
  • VN
 Prev Next

With this improvement, for each new AD user who (for the first time) logs into a device running macOS 10.13.4, the device will produce a dialog panel prompting the user to "Enter a SecureToken administrator's name and password to allow this mobile account to log in at startup time", This requires the user to type in a local admin username and password, and then to press Continue.

After logging into the system, the user must open a Terminal window and type in command:
sysadminctl -secureTokenStatus <ADUserName>  where ADUserName is the name of the user.

The user should press Enter, after which the command returns:
"Secure token is ENABLED for user <ADUserName>"

Alternatively,  in order to use the optional step below, the user must know at least one local admin credential.

Optionally, at the previous step instead of providing admin credential and pressing Continue, the user could press Bypass, which will leave the token in Disabled state.

To Enable a Disabled Token
Then, after logging into the system, the user must open a Terminal window and type in the command:
sysadminctl -secureTokenStatus <ADUserName>  (where <AdUserName> is the AD user's name)

and press Enter. Upon successful completion, the command should return:
“Secure token is DISABLED for user <ADUserName >”

The user can also try the following command to Enable the secure token:
sudo sysadminctl -adminUser <AdminUserName> -adminPassword <AdminUserPassword> - -secureTokenOn <ADUserName> -password <ADUserPassword>

where <AdminUserName> is the name of the Administraotr, <AdminUserPassword> is that Admin's password, <ADUserName> is the AD User Name and <ADUserPassword> is his/her password.

After that, the user should check secureTokenStatus as was performed in the beginning of this item. It should return:
“Secure token is ENABLED”

For an existing AD user whose Secure token is DISABLED at previous High Sierra macOS 10.13.3 and earlier, after upgrading macOS to 10.13.4, the Secure token status still remains DISABLED and there is no system prompt after upgrading.
Those kinds of AD user need to go through step shown under "To Enable a Disabled Token" in order to enable their secure token.

So, as long as AD users have their secure token enabled, those users can enable FileVault 2 under macOS High Sierra successfully.

Otherwise, if the secure token remains Disabled, and enabling FileVault 2 will not be successful.
A message notifying the user of this will appear, and the user must go through the steps in the section above labeled "To Enable a Disabled Token"

Related articles
  • 1766
    Knowledge Base Articles > All Articles > Part7
  • 1691
    Knowledge Base Articles > All Articles > Part7
  • 1883
    Knowledge Base Articles > All Articles > Part8