M1 Mac (in DEP) first created user has no Secure Token

I have an M1 Mac that is in DEP (using Jamf). If I wipe the machine (from within Recovery Mode) and reinstall Big Sur 11.1, the first created user does not have a Secure Token, and so I can not enable FileVault.

Looking on the web I have found people who had similar issues, but the general solution seems to be "wipe the machine and reinstall macOS, and you're all good", which is exactly what I am doing.

See this one as an example: https://discussions.apple.com/thread/8487253

The best description of Secure Tokens (I am including the link because otherwise everyone else will point me there) is here: https://derflounder.wordpress.com/2018/01/20/secure-token-and-filevault-on-apple-file-system/

It looks like a bug in the OS - the initial created user has no Secure Token, and so I can not give any other users a Secure Token. Therefore I guess I am not allowed to use FileVault?


Solution 1:

After much experimentation, it looks like the way to do this is to go to Recovery mode, and "Erase this Mac". I also used "Deactivate this Mac", but I am not sure if this helped or not.

After erasing the machine, and then reformatting and reinstalling (the classic nuke and pave), when macOS finished installing the single user on the system DID have a Secure Token, and I was able to enable FileVault.

It really shouldn't be this difficult, though.