fdesetup sync – fdesetup’s misunderstood command
Apple’s fdesetup tool includes a number of commands, including fdesetup sync. In the fdesetup manpage, sync is listed with the following description:
Synchronizes information from Open Directory to FileVault
Since the description is brief and vague, misunderstandings about what fdesetup sync‘s functions were almost inevitable. Based on my research, here’s fdesetup sync does:
1. Automate the disabling of FileVault 2-enabled accounts
fdesetup sync checks with a Mac’s directory service (Active Directory, Open Directory, OpenLDAP, etc.) to see which accounts have been removed. If an account has been removed from the directory service, running fdesetup sync on an encrypted Mac will automatically remove the account from the list of FileVault 2 enabled accounts. The sync only affects the account’s FileVault 2 status and will not remove the account or account home folder from the Mac.
An important thing to know is that fdesetup is only checking to see if the account is there or not there. It’s unable to determine if an account has been set to be disabled. If an account has been disabled but the account is still there, fdesetup sync will not change the FileVault 2 status of the account in question.
2. Automate the update of accounts’ user pictures
fdesetup sync checks with a Mac’s directory service (Active Directory, Open Directory, OpenLDAP, etc.) to see which accounts have user pictures associated with the account. If an account’s user picture is updated on the directory service, running fdesetup sync will allow the updated user picture to also be displayed on the FileVault 2 pre-boot login screen.
In many cases, this information will also have been updated automatically by the OS without the need for fdesetup sync to be run.
With those capabilities in mind, here’s two common misunderstandings I’ve seen or heard of in connection with fdesetup sync:
1. fdesetup sync updates the passwords at the pre-boot login screen
It does not. Based on my research, it appears that this job may be handled by opendirectoryd’s FDESupport module. I haven’t confirmed that with Apple though, so for the moment, treat this information about FDESupport as being my opinion rather than a fact.
2. fdesetup sync can automatically add accounts to a FileVault 2-encrypted Mac.
It does not, and the manpage for fdesetup is explicit about this point elsewhere in the manpage.
NOTE: The manpage for fdesetup has a typo where it refers to a fdesetup “syncusers” command. This is actually referring to fdesetup sync.
Leave a comment
Recent Comments
 | Ben LeRoy on Losing a giant |
 | Peter-Erik on Downloading installer packages… |
 | nathanhaggard on Losing a giant |
 | andras0602 on Disabling login window clock d… |
 | Jeff on Losing a giant |
Der Flounder 
I’ve found that fdesetup sync on Centrify systems does appear to sync passwords between the computer and the FV2 login environment.
Hi Richard, Our users do not have admin rights to their logins. If we execute this command, should it be done under the local admin account or the affected users account? What’s your experience?
Our users do not have admin rights to their logins. If we execute this command, should it be done under the local admin account or the affected users account? What’s your experience?