1766

  • Updated on Feb 6, 2026
  • 1 minute(s) read
  • VN
 Prev Next

Previous versions of SecureDoc did not allow for AD users to enable FileVault 2 under macOS High Sierra versions 10.13, 10.13.1, 10.13.2 and 10.13.3, which had been a limitat  Configuring a workstation to use a network or mobile account is beneficial in environments where administrators wish to manage authentication from a central server, utilize single-sign-on, or improve security by enforcing a password expiration policy

Starting with macOS 10.13.4, Apple made some improvements that permitted SecureDoc to support using AD users for enabling FV2.  This improvement only works on macOS 10.13.4 and later.

In order to make this work, certain preconditions must be met:

1.  For a new AD user who logs in for the first time into a macOS 10.13.4 (or later) device, a dialog box will appear, prompting: "Enter a SecureToken administrator's name and password to allow this mobile account to log in at startup time".
It requires the user to type in local admin username and password, then to press Continue.

2.  After the user logs into the system, the user should open a Terminal session and type in command:
sysadminctl -secureTokenStatus ADUserName
and press Enter. It should return: “Secure token is ENABLED for user <ADUserName>”

3.  (Optional) In order to use this optional step, the device user must know at least one local admin credential.
If at previous step 1, instead of providing admin credential and pressing Continue the user pressed Bypass
After logging into system, the user can open a Terminal panel and type in the following command
sysadminctl -secureTokenStatus ADUserName
and then press Enter;  It returns: “Secure token is DISABLED for user <ADUserName>”
The user can then try the following command to Enable secure token:
sudo sysadminctl -adminUser AdminUserName -adminPassword AdminUserPassword
-secureTokenOn ADUserName -password ADUserPassword

For Example: For the following criteria:  AdminUserName: test, AdminUserPassword:1, ADUserName: ad, ADUserPassword:11
Then the command would look like this:
sudo sysadminctl -adminUser test -adminPassword 1 - -secureTokenON -Password 11

After executing the above command, the user can check secureTokenStatus, it should return: Secure token is ENABLED

4.  For an existing AD user whose Secure token is DISABLED on previous High Sierra macOS versions 10.13.3 and earlier, after upgrading macOS to 10.13.4, the Secure token status still remains DISABLED and there is no system prompt after upgrading.
NOTE: In this scenario, AD users must perform Step 3 above to ENABLE the secure token.

Related articles
  • 1765
    Knowledge Base Articles > All Articles > Part7
  • 1691
    Knowledge Base Articles > All Articles > Part7
  • 1883
    Knowledge Base Articles > All Articles > Part8