Support Center > Search Results > SecureKnowledge Details
How-To manage user acquisition of mobile accounts using FDE on macOS 10.13 or later Technical Level
Symptoms
  • Native Encryption Management is unable to complete user acquisition and display status "Getting user information".
  • Native Encryption Management will request authentication from local administrator during each mobile account login
  • Apple will request authentication from local administrator as part of the create user wizard.
Cause

The following applies to macOS 10.13 or later

  • User can not be added to Apple FileVault unless it has a secure token
  • When mobile accounts are created, they do not receive secure token.
  • Starting with macOS 10.13.4, in the user setup wizard, a secure token can optionally be created by authentication from a local administrator. If the dialog button Bypass is pressed, the dialog will not appear again.
  • Mobile accounts created in macOS before 10.13.4 will not have secure token.

 

 

 

The following applies to Endpoint Security Native Encryption Management (NEM) blade E80.7x

  • During user acquisition, after each login, whenever secure token is missing, NEM will allow creation of secure token by requesting authentication from a local administrator.
  • If authentication is cancelled, the dialog will appear at next login.


Solution

How-To avoid authentication from local administrator during user acquisition - nemcontrol

  • A local admin can SSH to the machine and execute nemcontrol as sudo. Once the utility is executed, NEM will not need to request authentication from local administrator anymore. NEM will seamlessly add any mobile account to FileVault.
  • The command will create a hidden local admin account, fdetemp, that has secure token.
  • The hidden account is time-limited and will not appear in macOS or FileVault login screens. 
  • Later, when NEM has finished user acquisition, the hidden account will be automatically removed. 
  • The utility can preferably be run before installation. In case it is run after installation, via SSH, at the same time as NEM has requested authentication from local administrator, the mobile user needs to logout and re-login again.
  • Internally, NEM uses the hidden account to enable secure token of all other mobile accounts.

 

nemcontrol usage

Note, The installed macOS must have a user with administrative privileges with a secure token already assigned. This is often the initial local administrator of the installed macOS. To find out if an administrator account has secure token:

 sudo sysadminctl -secureTokenStatus <local-admin>

 

To create the temporary hidden user:

sudo /Library/Application\ Support/Checkpoint/Endpoint\ Security/nemControl create-fdetemp-user -u <local-admin-with-securetoken> -p <local-admin-with-securetoken-password> [-t <hidden-account-expiration-hours>]

Applies To:
  • Native Encryption Management (NEM) replaces the old FDE blade starting with E80.71 version. NEM blade manages Apple FileVault.
  • NEM blade requires updated Endpoint Management Server and SmartEndpoint application. The reason is that recovery file format is different in FileVault compared to FDE. Please contact Check Point support for more information.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment