MacOS has its own native Drive Encryption called FileVault, which encrypts full drive. If someone was to forget the passphrase to FileVault, the machine would not be bootable. Symantec Endpoint Encryption for FileVault (SEE FV) can be used to manage the Personal Recovery Keys (PRKs) so that if the password is forgotten, the PRK could then be used to authenticate and boot up the system.
As part of this functionality, SEE FV will add authorized users so that it can manage the PRK for additional users. MacOS High Sierra (10.13) and above requires the use of a FileVault user attribute called "secureToken", so that only authorized users can use FileVault Encryption. If a user exists on a system but does not have the secureToken attribute, that user can login to macOS, however, they will not be able to unlock a system and boot. In the same way, SEE FV will check additional users and if the secureToken attribute is available, it can manage and upload the PRK for that user.
There are instances where the SEE FV functionality is unable to manage the user due to problems with the secureToken attribute for the user, and the Add User prompt will appear (see screenshot below), but no password is accepted. When the SEE FV Add User screen pops up, but no passphrase is accepted, either the passphrase is incorrect (less likely), or the secureToken attribute is missing or otherwise broken (more likely). This article will go over the steps to correct this situation.
TIP: SEE FV provides multiple pop-ups. For a view of all of these popups and the description of each, see article INFO5269.
"Add current user to encrypted drive"
Jun 13 09:18:27 SEEAgent <Info>: Messaging error "Failed to add user"
High Sierra - MacOS 10.13 and above
Symantec Endpoint Encryption 11.1.3 through 11.2.1 MP1.
As mentioned, when the Add User prompt comes up, this means a new user needs to be added. When this screen comes up for the current user already logged in, this typically means the secureToken attribute is having issues and needs to be corrected. When the Add User screen pops up, this will display the username for the user having the issues.
In order to correct the secureToken attribute, let's first check which FileVault users we have on the list by running the following command via the Terminal application:
sudo fdesetup list
This will list the FileVault users such as the following example:
Tom Symantec, ABCDEFGHI-JKLM-NOPQ-RSTU-VWXYZ1234567
In this example, Tom Symantec is being prompted for the passphrase. Let's next check if Tom Symantec has the secureToken attribute associated to his account by running the following command:
sysadminctl -secureTokenStatus "Tom Symantec"
This should return the following:
Secure token is ENABLED for user Tom Symantec
This tells us the user has a secureToken attribute.
If no secureToken attribute is configured for the user, the following would be displayed:
Secure Token is DISABLED for user "Tom Symantec"
Whether the user does not have a secureToken attribute, or has the secureToken attribute set, but password is not being accepted, we can run through a series of commands to fix this and allow SEE FV to properly manage the PRK for the user.
Step 1: Use terminal to correct the broken user:
sudo fdesetup add -usertoadd "Tom Symantec"
This will prompt you for the admin credentials of a user who *does* have the secureToken attribute working properly. Enter the credentials.
Step 2: Follow the prompts for the broken user account:
In this example, we will enter
"Tom Symantec". Press enter; this will then prompt you to enter the credentials for Tom Symantec
Type the password for Tom Symantec and press enter. You will be prompted to
"Enter the password for the added user 'Tom Symantec'." Provide the password again and press enter.
Step 3: Validate Success
If no errors appear, this was successful. Reboot the system and login as "Tom Symantec" in this example (or the user you are using for your own example). At this point, the Add User prompt should then accept the user credentials.
If it was the first time this user has registered, a different screen will come up to "Enable Encryption Management":
Enter the current users credentials in order for SEE FV to manage the PRKs properly.
If the above procedure does not work, obtain the logs and files from the following directories and contact Symantec Support:
~/Library/Logs/SEEagent/SEEAgent.log /Library/Logs/SEEd/SEEd.log /Library/Application Support/Symantec Endpoint Encryption/see.keychain /Library/Application Support/Symantec Endpoint Encryption/see.dat
In addition to the logs/files above, run the following command as the user having issues and put into a text file for review by Symantec Support:
diskutil apfs updatePreboot /