Filevault key invalid when set up with user account + fleet admin account

[chrstphr84]

Fleet versions

• Discovered: main (post 4.86 release)
• Reproduced: 4.86

Web browser and operating system:
macOS 15.7.3

---

💥  Actual behavior

Filevault escrowed recovery key does not unlock in recovery mode when the following account types are set in setup experience:

• Managed 7 account (4.86)
• Local account: Admin + _fleetadmin (4.87/main)
• Local account Standard + _fleetadmin (4.87/main)

This issue appears to be contingent on the Fleet Admin account being created before the user account is created.
note: 4.87 options for Admin only and Skip (no account) appear to work as expected.

Settings

Images of issue

🛠️ Expected behavior

TODO

🧑‍💻  Steps to reproduce

These steps:

• Have been confirmed to consistently lead to reproduction in multiple Fleet instances.
• Describe the workflow that led to the error, but have not yet been reproduced in multiple Fleet instances.

Prerequisites

• macOS device in Apple Business
• Disk encryption on (Filevault enforced during setup)

4.86

1. Controls > Disk encryption ✅
2. Controls > Setup > Users > Managed local account ✅
3. Proceed through setup experience, log in as user
4. Collect recovery key (Fleet UI: Hosts > Actions > Show disk encryption key
5. boot to recovery
6. Select "reset passwords for all users"
7. Enter recovery key, observe failure

4.87

1. Controls > Disk encryption ✅
2. Controls > Setup > Users > Local account
3. Choose one of the following:

Admin + Create hidden admin
Standard

4. Proceed through setup experience until desktop (logged in as user)
5. Collect recovery key (Fleet UI: Hosts > Actions > Show disk encryption key
6. Boot to recovery
7. Select "reset passwords for all users"
8. Enter recovery key, observe failure

🕯️ More info (optional)

Will attempt to reproduce on macOS 26 and update issue.