iMac Pro iMac Pro users - issues enabling FileVault?

[BeatCrazy]

[SOLVED!]

I normally use FileVault encryption on my Macs, but when I set up my iMac Pro last week, I don't remember unchecking an option to disable FileVault. When I looked today, FileVault was "off", and I'm unable to turn it back on.

I get the error: "Account xxxxxxxxx cannot be used to manage encryption on this Mac. Click the lock to prevent further changes, then select another administrator account, and try again. Authentication server refused operation because the current credentials are not authorized for the requested operation."

So I opened up a ticket with Apple support, and went through all the troubleshooting steps, including some terminal commands, creating another Admin user, reinstalling macOS, all to no avail. At this point, it's going to be escalated to their engineering dept.

The reason I'm curious about other iMac Pro users is because maybe this is related to the T2 chip in some way?

 

[ThatSandWyrm]

Mine is still on.

Did you create a password for the disk when you set up your iMac Pro? If not, then you didn't have FileVault enabled.

 

[BeatCrazy]

Mine is still on.

Did you create a password for the disk when you set up your iMac Pro? If not, then you didn't have FileVault enabled.

I have a password for my login/admin account, is that the same thing as a password for my disk?

 

[SecuritySteve]

I have a password for my login/admin account, is that the same thing as a password for my disk?

No. There will be a separate firmware password. Out of curiosity, did they ever have you try enabling filevault as root? Typically it's unadvisable to enable a root account for security reasons, but it does give you ultimate control over your machine, and in instances like this may be useful.

If you have not, here's a guide to enabling a root user, and logging in as root:
https://support.apple.com/en-us/HT204012

If this solution does work, disable root immediately after. This is for security purposes.

 

[BeatCrazy]

No. There will be a separate firmware password. Out of curiosity, did they ever have you try enabling filevault as root? Typically it's unadvisable to enable a root account for security reasons, but it does give you ultimate control over your machine, and in instances like this may be useful.

If you have not, here's a guide to enabling a root user, and logging in as root:
https://support.apple.com/en-us/HT204012

If this solution does work, disable root immediately after. This is for security purposes.

No, they did not have me try this. Maybe I will give it a shot later?

 

[SecuritySteve]

No, they did not have me try this. Maybe I will give it a shot later?

Any luck?

 

[chabig]

I normally use FileVault encryption on my Macs, but when I set up my iMac Pro last week, I don't remember unchecking an option to disable FileVault. When I looked today, FileVault was "off", and I'm unable to turn it back on.

That sounds right. You didn't enable FileVault on the new machine. The settings on the old machine are irrelevant. The real question is why you can't enable FileVault now.

How did you move your files to the new machine? Did you migrate? How many administrator accounts do you have?

 

[BeatCrazy]

Any luck?

Haven't had a chance to try the steps you posted above, yet. And I'm half-way expecting a call from Apple engineering today. But I'm not betting my car on that

That sounds right. You didn't enable FileVault on the new machine. The settings on the old machine are irrelevant. The real question is why you can't enable FileVault now.

How did you move your files to the new machine? Did you migrate? How many administrator accounts do you have?

Actually you do enable FileVault on a new machine, which is why I noticed the problem in the first place. Yesterday I got a new 2017 MacBook, and was setting it up from scratch. During the setup process, there is a screen for FileVault, and one other setting (can't recall), FV is enabled/checked by default. This prompted me to check my iMac Pro to ensure FV was enabled.

For the iMac Pro (where I'm having this issue), I set this up from scratch. Zero files transferred, only iCloud settings carried over. I only have a single Admin account.

 

[ThatSandWyrm]

Actually you do enable FileVault on a new machine, which is why I noticed the problem in the first place. Yesterday I got a new 2017 MacBook, and was setting it up from scratch. During the setup process, there is a screen for FileVault, and one other setting (can't recall), FV is enabled/checked by default. This prompted me to check my iMac Pro to ensure FV was enabled.

For the iMac Pro (where I'm having this issue), I set this up from scratch. Zero files transferred, only iCloud settings carried over. I only have a single Admin account.

FileVault on normal Macs just encrypts your home folder, and you only need your login password. On the iMac Pro, your entire disk is encrypted (thanks to the added T2 chip), and so you're asked to provide a disk-specific password for it. Same as if you'd encrypted an external drive.

 

[BeatCrazy]

FileVault on normal Macs just encrypts your home folder, and you only need your login password. On the iMac Pro, your entire disk is encrypted (thanks to the added T2 chip), and so you're asked to provide a disk-specific password for it. Same as if you'd encrypted an external drive.

Hmmm... makes sense. I don't recall setting up that disk-specific password for FV during initial setup?

I had a feeling the T2 was someone involved in my issue.

 

[ThatSandWyrm]

Hmmm... makes sense. I don't recall setting up that disk-specific password for FV during initial setup?

I had a feeling the T2 was someone involved in my issue.

Yeah, and Apple's techs probably aren't up to speed yet on the differences between FileVault on a regular Mac vs. the iMP. We're talking about a machine with its own custom version of MacOS.

 

[BeatCrazy]

Yeah, and Apple's techs probably aren't up to speed yet on the differences between FileVault on a regular Mac vs. the iMP. We're talking about a machine with its own custom version of MacOS.

Yep. Which is why I'm starting to lose faith that Apple will fix this anytime soon.

 

[Smoothie]

FileVault on normal Macs just encrypts your home folder, and you only need your login password. On the iMac Pro, your entire disk is encrypted (thanks to the added T2 chip), and so you're asked to provide a disk-specific password for it. Same as if you'd encrypted an external drive.

Are you certain that FileVault only encrypts your home folder? My understanding is that this was true of the original FileVault, but that the current version of FileVault (Apple calls it FileVault 2) does full-disk encryption. See here:

https://support.apple.com/en-us/HT204837

 

[BeatCrazy]

No. There will be a separate firmware password. Out of curiosity, did they ever have you try enabling filevault as root? Typically it's unadvisable to enable a root account for security reasons, but it does give you ultimate control over your machine, and in instances like this may be useful.

If you have not, here's a guide to enabling a root user, and logging in as root:
https://support.apple.com/en-us/HT204012

If this solution does work, disable root immediately after. This is for security purposes.

Unfortunately no luck. Using root, the option/button to turn on FileVault was grayed out.

Apple called me back, and the recommendation from engineering was to completely wipe and reinstall. So, starting that now.... see you on the other side...

 

[BeatCrazy]

Uh oh, this doesn't seem so good. I erased my Macintosh HD, so I had to do an internet recovery and download the OS.

Now I have this screen, but should I be installing macOS on "Container disk2"? Seems a bit strange that I'd already have 18GB on there, unless that is just the base OS downloaded from the internet.

 

[SecuritySteve]

Uh oh, this doesn't seem so good. I erased my Macintosh HD, so I had to do an internet recovery and download the OS.

Now I have this screen, but should I be installing macOS on "Container disk2"? Seems a bit strange that I'd already have 18GB on there, unless that is just the base OS downloaded from the internet.

That 18 GB is a bit odd, but it is obviously your hard drive. Perhaps it's leftover from the wipe? Or RAID software to run the RAID0 configuration of the two SSDs in the iMP perhaps? Who knows.

 

[BeatCrazy]

OK, so the "nuclear" option worked... after a full wipe, I can now turn on/use File Vault. Just to prove I was not losing my mind, there was no option in the initial setup where I was asked to uncheck or turn off FileVault (unlike my MacBook). So, I really have no idea what happened here.

That 18 GB is a bit odd, but it is obviously your hard drive. Perhaps it's leftover from the wipe? Or RAID software to run the RAID0 configuration of the two SSDs in the iMP perhaps? Who knows.

Yeah so this is strange and related to APFS. I looked at my other Macs with APFS, and they show similar "VM" or "Other Volumes" used in Disk Utility.

These two screen shots are from my iMac Pro, but my 2016 MacBook Pro shows 3.22GB of VM, my 2017 MacBook shows 1.07GB of VM. Note: you have to select View->Show All Devices within Disk Utility to see this detail.

What do you guys have?

 

[SecuritySteve]

OK, so the "nuclear" option worked... after a full wipe, I can now turn on/use File Vault. Just to prove I was not losing my mind, there was no option in the initial setup where I was asked to uncheck or turn off FileVault (unlike my MacBook). So, I really have no idea what happened here.





Yeah so this is strange and related to APFS. I looked at my other Macs with APFS, and they show similar "VM" or "Other Volumes" used in Disk Utility.

These two screen shots are from my iMac Pro, but my 2016 MacBook Pro shows 3.22GB of VM, my 2017 MacBook shows 1.07GB of VM. Note: you have to select View->Show All Devices within Disk Utility to see this detail.

What do you guys have?View attachment 748498View attachment 748499

I have a small amount of something called "Other Volumes" but I assume it's APFS related tables or something. This is on my 2015 MBP - afraid I am still waiting for Apple to send my iMP, but I'll get back to you in a few weeks if it has the same problem.

 

[BeatCrazy]

I have a small amount of something called "Other Volumes" but I assume it's APFS related tables or something. This is on my 2015 MBP - afraid I am still waiting for Apple to send my iMP, but I'll get back to you in a few weeks if it has the same problem.

OK, I found out from Apple what VM/Other Volumes is for. Basically it's reserved space for system RAM swap. So, nothing to be worried about!

 

[ThatSandWyrm]

Are you certain that FileVault only encrypts your home folder? My understanding is that this was true of the original FileVault, but that the current version of FileVault (Apple calls it FileVault 2) does full-disk encryption. See here:

https://support.apple.com/en-us/HT204837

Well, that's interesting. But it should still require you to set (and optionally auto-remember) a password for the startup disk.
[doublepost=1516942104][/doublepost]

OK, so the "nuclear" option worked... after a full wipe, I can now turn on/use File Vault. Just to prove I was not losing my mind, there was no option in the initial setup where I was asked to uncheck or turn off FileVault (unlike my MacBook). So, I really have no idea what happened here.





Yeah so this is strange and related to APFS. I looked at my other Macs with APFS, and they show similar "VM" or "Other Volumes" used in Disk Utility.

These two screen shots are from my iMac Pro, but my 2016 MacBook Pro shows 3.22GB of VM, my 2017 MacBook shows 1.07GB of VM. Note: you have to select View->Show All Devices within Disk Utility to see this detail.

What do you guys have?View attachment 748498View attachment 748499

Glad you finally got it to work!