Description

Depending on the macOS version, the first user to login to a computer or the user created during Setup Assistant is automatically granted a secure token.

In some cases, the first user to login to a computer may not have a secure token if another account was created first (Jamf Pro policy, from a software install such as Sophos, etc).

Granting Secure Tokens

Secure tokens can be granted int two ways:

Via bootstrap token: If the bootstrap token is escrowed, new users that log in automatically receive a secure token.
From another secure token holder: Existing users with a secure token can grant a token to additional users.

Bootstrap Token

See Leveraging Apple's Bootstrap Token Functionality for more information on verifying if the bootstrap token is escrowed.

Other Secure Token Holders

To see a list of FileVault enabled users/users with a secure token, use one of the commands below:
```
fdesetup list -extended
sysadminctl -secureTokenStatus username_goes_here
```
Logged in to the computer as an administrator with a secure token, use a command like the ones below to give another account a secure token:
```
 sysadminctl interactive -secureTokenOn
 username_of_new_Secure_token_holder -password -
```
Once a user has a secure token, they should be able to enable FileVault when prompted by a Jamf Pro configuration profile or policy.

More Resources

For more information on secure token see:

Apple Documentation: Use secure token, bootstrap token, and volume ownership in deployments
Third-Party Blog: Secure token and FileVault on AFS

Enabling FileVault via Configuration Profile with Jamf Pro

User unable to login to computer after password change

FileVault Personal Recovery Key is Not Showing in Jamf Pro

Enabling FileVault Encryption using Jamf Now

Managing FileVault with Jamf School

Grant Secure Token to Enable FileVault