Fix FileVault Remediation Failed on macOS using JumpCloud Secure Token
Overview
If you see the error "FileVault Remediation Failed" in the JumpCloud Admin Console (under Device Details > FileVault Status), it means the JumpCloud agent attempted to enable encryption but failed.
This almost always happens because the current user account lacks a Secure Token. In macOS, only users with a Secure Token can authorize FileVault encryption. If the user was created via script or migrated improperly, they might be an Admin but still lack this specific cryptographic token.
Symptoms
JumpCloud Console: Status shows "Remediation Failed" or "Encryption Pending" indefinitely.
End User: The user is never prompted to enable FileVault, or they see an error saying "Authentication failed" when trying to turn it on in System Settings.
Solution 1: The "Log Out / Log In" Fix (Secure Token Grant)
macOS often attempts to grant a Secure Token automatically during the very first GUI login.
Ask the user to Log Out of their Mac (Apple Menu > Log Out). Do not just restart; specifically log out.
Ask them to Log In again using their password (not TouchID).
Wait 15 minutes for the JumpCloud agent to retry the FileVault policy.
Why this works: The OS attempts to "chain" the Secure Token from the existing Admin (or the MDM bootstrap token) to the user during a fresh login event.
Solution 2: Verify & Fix via Terminal (Admin Access Required)
If the simple logout fix doesn't work, you must manually verify and grant the token using the command line. You can run these commands via JumpCloud CMD (running as root) or locally on the machine.
Step 1: Check Token Status
Run this command to see who actually has a token:
sysadminctl -secureTokenStatus <username>Output:
Secure token is ENABLED for user...(This is Good. The issue is likely just a password sync issue. See KB: Fix Keychain Sync).Output:
Secure token is DISABLED for user...(This is Bad. Proceed to Step 2).
Step 2: Grant Token (If you have another Admin)
If another admin user on the machine (e.g., admin_local) has a token, they can grant one to the target user.
sysadminctl -secureTokenOn <target_username> -password <target_user_password> -adminUser <admin_username> -adminPassword <admin_password>Step 3: The "Bootstrap" Fix (MDM Automatic Grant)
If the Mac is MDM enrolled (JumpCloud MDM is active) and the Bootstrap Token is escrowed, you can force the Mac to use that token to fix the user.
Run this as root:
profiles validate -type bootstrapholderThen, have the user change their password via the command line (or System Settings) which often triggers the token generation:
passwd <username>Solution 3: Manually Enable FileVault (The "fdesetup" Command)
If the user has a token but automation is failing, you can try to force encryption manually.
Open Terminal on the user's device.
Run:
sudo fdesetup enableIt will ask for a username and password. Enter the user's credentials.
If successful, it will generate a Recovery Key and start encryption.
Important: You must manually escrow this new Recovery Key to JumpCloud if you want to store it there.
Prevention: The Golden Rule
To avoid this in the future when setting up new Macs:
Create the User First: Create the user via the JumpCloud Agent or manually.
Log In GUI First: Ensure the user logs into the desktop GUI before you bind the device to the FileVault policy in JumpCloud.
Why? The initial login creates the Secure Token. If you push the policy before the token exists, remediation fails immediately.
FAQ
1) How to fix FileVault Remediation Failed on macOS using JumpCloud?
Log out and log in via GUI to trigger Secure Token auto-grant. If failed, verify Secure Token status via sysadminctl, grant token using another admin or Bootstrap holder, then retry FileVault enablement.
2) How to verify Secure Token status on macOS for FileVault authorization?
Run sysadminctl -secureTokenStatus <username> or profiles validate -type bootstrapholder. Look for ENABLED or DISABLED. Only Secure Token-enabled users can authorize FileVault encryption.
3) Can FileVault be forced manually if JumpCloud automation fails?
Yes. Use fdesetup enable or fdesetup enable locally or via JumpCloud CMD as root. If successful, encryption starts and generates a Recovery Key, which must be escrowed manually if needed.
4) Why does FileVault remediation fail even if the user is a local admin?
User may be admin but lack Secure Token due to improper script-based creation or migration. FileVault requires Secure Token or Bootstrap holder chain to authorize encryption.
