FileVault recovery is not possible when automatic password expiration is enabled on macOS High Sierra or later

Technical Articles ID: KB89819
Last Modified: 6/5/2020

Environment

McAfee Management of Native Encryption (MNE) 4.1.2 and later

Mac FileVault
macOS High Sierra 10.13.x and later

For details of MNE supported environments, see KB79375.

Problem

FileVault recovery is not possible when MNE password expiry policy is enabled on macOS High Sierra, or later systems.

After a user completed a FileVault recovery, but was then prompted to reset their password, the Change Password window suppressed the Reset Password window. The suppression of the Reset Password window can occur within a fraction of a second. The Password Expire policy controls the Change Password window, and this window is asking the user for their old password. This sequence leads to the following:

Recovery to desktop is not possible because the user does not remember the old password.
FileVault Recovery to the desktop is not possible. The user is asked for their old password at the operating system logon prompt.

Solution

The issue covered in this article depends on Apple to fix the problem in a future release of macOS. After Apple confirms a fix, the development team will consider to reinstate this feature. Reinstatement only after a successful validation in a future release or updated version of the product.

In the interim, implement the workaround below.

Workaround

Make sure that the password expiration policy is not set in ePO for all systems running macOS 10.13 or later.

Password Expiry support matrix:

macOS	MNE 4.1.2 Or later	MNE 4.1.1
High Sierra 10.13.x or later	No ²	No ¹
Sierra 10.12.x and earlier	Yes	Yes

¹	MNE 4.1.1 is not supported on High Sierra 10.13.x or later.
²	Feature not supported because of a macOS known issue on High Sierra 10.13.x or later.

Affected Products

Known Issue/Product Defect
Management of Native Encryption 4.x

Languages:

This article is available in the following languages:

English United States
Spanish Spain
French
Italian
Portuguese Brasileiro

Knowledge Center

FileVault recovery is not possible when automatic password expiration is enabled on macOS High Sierra or later

Environment

Problem

Solution

Workaround

Affected Products

Languages:

Title

Title

Knowledge Center

FileVault recovery is not possible when automatic password expiration is enabled on macOS High Sierra or later

Environment

Problem

Solution

Workaround

Affected Products

Languages:

Choose your region

Title

Title