Login trigger and FileVault 2 using PEAP

Hello all,

My org is currently using PEAP rather than TLS for Macs to access our network. We've set it up so that JAMF is only accessible on our internal network.

Because network access doesn't occur until AFTER login (since PEAP uses the user credentials), the login trigger in a policy never gets applied (since it doesn't connect to the network, and thus JAMF, until after login). A solution to this is to push out a configuration profile that has "Use as a Login Window configuration" network setting applied. This actually works really well. The user logs in, authenticates against the local network, and policy triggers get applied.

The problem: after enabling FileVault 2, this bypasses the typical login window, and in turn bypasses the "Login Window configuration" setting. So the login trigger for policies again doesn't work.

Aside from using TLS or some kind of machine based authentication, does anyone have suggestions for a way to work around this? We would really like to use the login trigger since it's one of the only two (self service being the other) that can target a policy based on the user. It's not super critical, but makes it really painful as otherwise I have to script extension attributes based on AD lookups.

Providing public access for JAMF is currently off the table, and we will be implementing FileVault 2 company-wide regardless of the loss of functionality.

Thanks,
Jerry

Page 1 / 1

We prevent the FileVault auto-login using the following command. This causes the user to enter their password twice but as they enter it at the login window, the 802.1(1)x profile grabs the credentials for network access.

sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES

Source:

https://support.apple.com/en-is/HT200093

I was going to suggest the same command that @jyergatian mentions. It should address your issue. Whether its a good choice for you will largely depend on how tolerant your userbase is for this kind of stuff. Around here if we enabled that on our FV2 encrypted Macs, there would be no end to the user complaints that we are forcing them to log in with their password twice.

We preface it as the prevention method for inaccessible network connectivity after password expiration. The alternative of course, is a user manually entering their credentials after login - likely saving that to keychain, and then being without network access after changing their password...

Thanks, jyergatian. That definitely addresses the issue.

And thanks mm2270. That is definitely a concern for us as well and may be a hard sell for our userbase. Have a feeling I should get used to scripting extension attributes.

How often do users have to change there password? And are they using one or more devices like an imac and a macbook air?
With that option enabeld make sure you enable "Synchronize login keychain password with account" otherwise your users will have to login with there old password in the first window and then in the second window with there new password.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded