You can not disable the FileVault screen without disabling FileVault. This about it this way, the computer needs to retrieve the encryption key prior to booting the O/S. Until the O/S is loaded, Jamf Connect won't be running.
You have a few options, none of them a great solution:
1) Disable FileVault so the user only sees the Jamf Connect login. Not recommended
2) Have your users see dual login screens. They have to login to FileVault and then login again using their Entra ID.
3) Disable Jamf Connect Login and/or enable Passthrough authentication so that the user only needs to login to the FileVault screen. They will never see the Entra ID login. This is what I do at my org.
For 2 & 3, if they user's password is changed while they are logged out of their computer, they password will not be updated until they login again and sync their passwords.
I would encourage your users to make their password changes through Jamf Connect and not use a website. That way they always are updating both their local password and Entra password at the same time.
If they do have their password changes outside of Jamf Connect and can't remember their local password, have a process to give them the FV PRK and use it to do a password change in recovery.
You can not disable the FileVault screen without disabling FileVault. This about it this way, the computer needs to retrieve the encryption key prior to booting the O/S. Until the O/S is loaded, Jamf Connect won't be running.
You have a few options, none of them a great solution:
1) Disable FileVault so the user only sees the Jamf Connect login. Not recommended
2) Have your users see dual login screens. They have to login to FileVault and then login again using their Entra ID.
3) Disable Jamf Connect Login and/or enable Passthrough authentication so that the user only needs to login to the FileVault screen. They will never see the Entra ID login. This is what I do at my org.
For 2 & 3, if they user's password is changed while they are logged out of their computer, they password will not be updated until they login again and sync their passwords.
I would encourage your users to make their password changes through Jamf Connect and not use a website. That way they always are updating both their local password and Entra password at the same time.
If they do have their password changes outside of Jamf Connect and can't remember their local password, have a process to give them the FV PRK and use it to do a password change in recovery.
For the option 2: how do you configure that?
If i set the key of passthrough auth to false, it still logs in with one login attempt (Filevault screen) but I wan't the user to see the second login window.
For the option 2: how do you configure that?
If i set the key of passthrough auth to false, it still logs in with one login attempt (Filevault screen) but I wan't the user to see the second login window.
you'll need the following in your com.jamf.connect.login profile
<key>DenyLocal</key>
<true/>
(may want to consider adding the following though if you want people to still be able to do local only if no network like on a plane, etc)
<key>LocalFallback</key> <true/>
You can not disable the FileVault screen without disabling FileVault. This about it this way, the computer needs to retrieve the encryption key prior to booting the O/S. Until the O/S is loaded, Jamf Connect won't be running.
You have a few options, none of them a great solution:
1) Disable FileVault so the user only sees the Jamf Connect login. Not recommended
2) Have your users see dual login screens. They have to login to FileVault and then login again using their Entra ID.
3) Disable Jamf Connect Login and/or enable Passthrough authentication so that the user only needs to login to the FileVault screen. They will never see the Entra ID login. This is what I do at my org.
For 2 & 3, if they user's password is changed while they are logged out of their computer, they password will not be updated until they login again and sync their passwords.
I would encourage your users to make their password changes through Jamf Connect and not use a website. That way they always are updating both their local password and Entra password at the same time.
If they do have their password changes outside of Jamf Connect and can't remember their local password, have a process to give them the FV PRK and use it to do a password change in recovery.
So we originally have our configured so it shows both FV and JC screen, now we want to only show 1 screen, so your option #3. How do we go about making this change?
So we originally have our configured so it shows both FV and JC screen, now we want to only show 1 screen, so your option #3. How do we go about making this change?
Run
authchanger -reset
from a policy to reset the login window to the macOS default.
Run
authchanger -reset
from a policy to reset the login window to the macOS default.
What is the disadvantage of only requiring a the FV login password after a restart? I feel the dual login screens are cumbersome and would like to remove the JamF Connect SSO sign in from appearing if there is no downside to doing so...
