Hi all,

Version 2 Published! See bottom of post for list of added features!

WARNING: Running this script (with sudo) on a macOS Catalina system which really has no Secure Token holder, will result in giving the admin account executing the script a SecureToken. This is very important to take into consideration when reviewing the output file. If you are not sure, run a ‘diskutil afps list users’ before running this script to check the Secure Token status. Only then you can compare the Secure Token holder situation before and after running the script.

When people are asking me to assist with FileVault issues, we almost always end up in a long discussion where I ask to provide additional information.

The reasons why are simple. First of all, there is the complexity of FileVault and SecureToken on its own. It’s a topic and an area within the MacAdmin realm which has consumed a lot of my time over the past 2 years. Sometimes I even wonder why I ever had the eagerness to dive into the matter and try to really understand how it actually works. It’s, with all respect and appreciation for the security aspect of the feature’s design, a can of worms which almost gave me nightmares. On the other hand, although there are always weird edge cases were I struggle with, it’s a topic in which I managed to build some confidence and expertise. At least, that’s what I think. I leave that judgement to you.

Nevertheless, maybe I should have chosen an easier topic to spend my time with, deploying Web Clips or something. I don’t know, but then I wonder if I could write multiple blog post on such a topic :-).

Anyway, next there is the large variety of different strategies which can be chosen from in view of deploying and managing Macs. Automated MDM Enrolment, User Initiated enrolment, Local Accounts, Admin Accounts, Standard Accounts, AD Bind and Mobile Accounts, Jamf Connect, Policies, Profiles, …. name it. The possible combinations are like a game of chess… endless.

And finally, there is the complexity of understanding the exact situation and configuration on the Mac when FileVault issues were observed. Especially when trying to assist people remotely. And this brings us to the purpose of this post, which I’ll keep very short for once!

Looking at how things are now, on macOS Catalina, I have to conclude that the roadblocks or issues I see, are almost always due to either a misunderstanding of some expected FileVault behaviour or a combination of deployment choices and actions done by the end-user on the Mac.

The problem is, I don’t have a fortune telling ball. So whenever I need to troubleshoot FileVault, I need to gather information. And guess what! I’m lazy! Why would I type the same Terminal commands over and over again, if a machine can do it for me. Ok, I still need to tell the machine to do so, but still, one command versus multiple repetitive actions? You’re getting what I mean right? Yes, a script!

That’s why I quickly (I should have done this ages ago!) put some script together which grabs all relevant information you need to troubleshoot FileVault. Well, maybe not all information yet, but at least the mandatory info you need, to make an initial judgment on the status of a Mac in view of FileVault.

This first version includes:

  • Is FileVault enabled?
  • Which account has a SecureToken?
  • Is Bootstrap enabled?
  • What does the Deferral info look like?

Please note that the script will disclose confidential information, so handle it with care!

At this moment it’s designed to be used locally, by running it with ‘sudo’, and it drops a timestamped .txt file on the Desktop of the logged-in user.

The script can be found on my Github HERE.

As said, this is a first version. I’m already working on adding additional information in the report including some features below, but in view of the current time at the moment of writing this… I’ll keep it at work in progress!

That’s it! As promised, just a quick share for today! I hope this can help you, or any person you are discussing FileVault roadblocks with, to easier understand the current FileVault config and state of a Mac you’re troubleshooting.

As always, if you liked the post, hit the like button, tell your friends about it and leave a comment down below!


To do:

  • Mobile or local account? OK
  • Admin or Standard account? OK
  • Which account is the Managed Administrator? OK
  • Personal Recovery Key? OK
  • Institutional Recovery Key? OK

I’ll update further progress on the script here below:

  • 28th of August: V1 BROKEN -> see V1.2 Bugfix
  • 29th of August: Added V1.1 – added output of Logged In user to .txt file -> BROKEN -> see V1.2 Bugfix
  • 29th of August: Added V1.2 – BUGFIX – added logic to check if deferral info exists
  • 29th of August: Added V2
  • 30th of August: V2.1 – Added recovery partition check
  • 1st of Sept: V2.2 – Added check of SecureToken and AuthenticationAuthority
Features added in V2.2:
- added output of 'dscl . -search Users AuthenticationAuthority ";SecureToken;"'
Features added in V2.1:
- added recovery partition check
Features added in V2:
- List of all Mobile Accounts
- List of all Local Accounts
- List of all admin accounts
- check if logged-in user is admin
- check if logged-in user is mobile account
- reporting of /var/db/ConfigurationProfiles/Settings/.setupUser content to check the "Managed Admin"
- check if there is a Personal Recovery Key on the system
- check if the PRK in the deferral info is still valid
- check if there is an Institutional Recovery Key on the system
- cleaned up the debug echos