Apple Platform Deployment Guidance: Using secure token, bootstrap token, and volume ownership in deployments
To view the current list of volume owners on a Mac computer with Apple silicon, you can run the following command:
sudo diskutil apfs listUsers /
If FileVault is in use, you can also use the following command to see user names and GUIDs together:
sudo fdesetup list -extended
sysadminctl -secureTokenStatus "$(whoami)"
How to add user accounts to a FileVault 2-enabled accounts list
sudo fdesetup add -usertoadd username
How to remove user accounts from a FileVault 2-enabled accounts list
sudo fdesetup remove -user username
list all filevault encrypted (only) usernames
sudo fdesetup list | sed 's;,.*;;'
How to remove user accounts by UUID from a FileVault 2-enabled accounts list
sudo fdesetup remove -uuid UUID_that_matches_user_account
Ownership is backed by cryptography protected in the Secure Enclave. For more information, see:
Apple Platform Security: Contents of a LocalPolicy file for a Mac with Apple silicon
Apple Platform Security: LocalPolicy signing-key creation and management
Links:
https://community.jamf.com/t5/jamf-pro/catalina-filevault-enablement/td-p/134562
https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/1/web/1.0
Mr. Macintosh: Apple releases long-awaited SecureToken documentation
https://krypted.com/bash/pull-list-filevault-encrypted-users-mac/
Travelling Tech Guy
