Skip to main content
Question

Double login after upgrading to Tahoe

  • December 17, 2025
  • 7 replies
  • 54 views
jwhite
Forum|alt.badge.img+1

I’m pretty new to JAMF. I’ve got JAMF Connect 3.5.0, Self Service+, and JAMF Connect Launch Agent 3.5.0 deployed on my Mac Mini test device. I deployed these so I could start working on Tahoe support. After upgrading to Tahoe, everything seems to be working fine, except I now have to log-in twice when rebooting. The first login seems to be Filevault for unlocking the disk, and the second is the Entra web sign-in window from JAMF Connect.

With Sequoia and the older version of JAMF Connect that most users are on, they only have to log-in once with the Entra web sign-in window.

I’m using all the same config profiles as the old machines. Is this expected in Tahoe or is there some config change needed to get SSO sign-in to cover both filevault and OS login? Also, I have to enter the username in the second login as well. I’m pretty sure this was pre-populated before. I’m not 100% sure if this was caused by the new JAMF Connect apps versions, or only after the Tahoe upgrade.

 

Is there anything I can do to cut out the duplicate logins without gutting security too much?

7 replies

Chubs
Forum|alt.badge.img+23
  • Chubs
  • Jamf Heroes
  • December 17, 2025

IIRC there’s a key to set in the JCL configuration...but alas, if your devices are 1:1, why not rip out the JCL piece and just do the menubar app/password sync?

I find your lack of faith disturbing
jwhite
Forum|alt.badge.img+1
  • jwhite
  • Author
  • New Contributor
  • December 17, 2025

IIRC there’s a key to set in the JCL configuration...but alas, if your devices are 1:1, why not rip out the JCL piece and just do the menubar app/password sync?

Would that effectively just have them sign-in with their sync’d local user/password only? If so I think IS demands MFA for logins, but I’m not sure. (Not only am I new to JAMF I’m new to the environment. My predecessor set this all up, I believe with JAMF Pro Services’ help)

 

 

Chubs
Forum|alt.badge.img+23
  • Chubs
  • Jamf Heroes
  • December 17, 2025

IIRC there’s a key to set in the JCL configuration...but alas, if your devices are 1:1, why not rip out the JCL piece and just do the menubar app/password sync?

Would that effectively just have them sign-in with their sync’d local user/password only? If so I think IS demands MFA for logins, but I’m not sure. (Not only am I new to JAMF I’m new to the environment. My predecessor set this all up, I believe with JAMF Pro Services’ help)

 

 

So you guys don’t use device compliance?  What about MFA for your trusted app logins?  Do you have east/west traffic blocked?  I work in a hospital (kinda famous one) and we only have ours setup to MFA for first time login. MFA going forward after that is dependent on device compliance and application access.

 

I find your lack of faith disturbing
mattjerome
Forum|alt.badge.img+9
  • mattjerome
  • Jamf Heroes
  • December 18, 2025

It sounds like your filevault and local passwords are not sync’d (or at least the system thinks they aren’t). Try going to recovery and using the resetpassword command after unlocking the drive with the filevault key. Then wipe the device and try to replicate the problem.

jwhite
Forum|alt.badge.img+1
  • jwhite
  • Author
  • New Contributor
  • December 18, 2025

It sounds like your filevault and local passwords are not sync’d (or at least the system thinks they aren’t). Try going to recovery and using the resetpassword command after unlocking the drive with the filevault key. Then wipe the device and try to replicate the problem.

Self Service+ is showing signed in and password sync’d.

IIRC there’s a key to set in the JCL configuration...but alas, if your devices are 1:1, why not rip out the JCL piece and just do the menubar app/password sync?

Would that effectively just have them sign-in with their sync’d local user/password only? If so I think IS demands MFA for logins, but I’m not sure. (Not only am I new to JAMF I’m new to the environment. My predecessor set this all up, I believe with JAMF Pro Services’ help)

 

 

So you guys don’t use device compliance?  What about MFA for your trusted app logins?  Do you have east/west traffic blocked?  I work in a hospital (kinda famous one) and we only have ours setup to MFA for first time login. MFA going forward after that is dependent on device compliance and application access.

 

I discussed this a bit with my boss and we’re fine with no MFA on device sign-in. We do have CA enforcing MFA for trusted apps/company resources and such. So it seems like I just need to find out what’s wrong with my config that’s causing it on every boot. (Sleep/lock screen is not giving the double login, only on boot)

mattjerome
Forum|alt.badge.img+9
  • mattjerome
  • Jamf Heroes
  • December 18, 2025

FYI the self service+ password sync’d shows that the local password is sync’d to entra. It does not mean that it’s sync’d to filevault or that there’s an issue between the local and filevault passwords.

    Chubs
    Forum|alt.badge.img+23
    • Chubs
    • Jamf Heroes
    • December 18, 2025

    I believe the key is the DenyLocal key.  If you have that set to false, then JC is going to prompt for a login every single time after FV login.

    I find your lack of faith disturbing
    Terms & ConditionsCookie settingsAccessibility statement