macOS Mojave 10.14.0 (18A391) Upgrade; AD Mobile Accounts got stuck

Hello @txhaflaire ,

On my side , I had some issue with Mobile Account with AD.

I've changed Mobile Account to Network Account with the GUI "Force Local Home Directory" from Jamf and works great.

Unbind => Rebind my Mac with the new settings and now can connect perfectly.

Maybe you can try this.

Hi ! @lrabotteau

Can you explain further about the transition from Mobile Account to Network Account, after that change are you still able to log-in when being away from network?

@bjorgvin Thanks for sharing; https://www.reddit.com/r/macsysadmin/comments/9iu5b4/mojave_expired_passwords/

Update; The workaround of changing password so the pop-up windows is not appearing works for now.

2 workarounds.

One is to just turn off the password change notification.

sudo defaults write /Library/Preferences/com.apple.loginwindow PasswordExpirationDays 0

The 2nd was to just login while off the network. Thanks to @andyincali for helping test this and @frogor for the idea to try it.

@ClassicII Thank you for sharing :)

Confirmed having this issue as well and suggested workaround (disabling password change notification) corrected problem however I don't see this as acceptable in our production environment long term as a fix

Hopefully this is something that will be fixed in 10.14.1. Does anyone know if this has been filed with Apple?

We noticed this issue after changing the user account to mobile and using filevault 2 to encrypt the hard drive. Once we enabled filevault 2, the laptop would get stuck during boot.

If you turn off filevault, the AD mobile account works just fine.

As a work around, you can create a local account, then encrypt the hard drive. Log out of the local account and log into the mobile account. This is super annoying, but the hard drive is encrypted and mobile account works just fine, once you get through the initial boot.

We duplicated this issue by:
1. Reimaging the laptop with Mojave
2. Setup mobile user account
3. Enable filevault
4. Stuck screen at 90% loading bar and cursor (force reboot)
5. Login with local account instead of mobile
6. Logout of local and log in with mobile

I would love any suggestions or visibility to fixing this issue.

Not letting Passwords fall under 30 days for expiration seems to work for us right now. We run a 365 day length on passwords and anyone over 30 days does not have the issue while anyone at 30 days or less does. Once these users under 30 days change their password, the issue goes away.

Hi Guys,

Do you run the workaround prior to the upgrade?

Thanks

I ran into this as well when I got in to the office this morning. Thanks for confirming it's not an isolated problem.

Hi,

Yeah, i run the workaround prior the upgrade, you can also wait till 10.14.1. The issue is fixed in recent beta.

thanks @txhaflaire tried that and that works fine!

Thanks for confirming the beta fixes it too.

Same issue.

@txhaflaire do you still find that it takes a long time to log in?

I have seen this in 10.13.6, as well as 10.14.0/1 with AD mobile accounts. In every case disabling FDE auto login while booted in safe boot fixed this bug.

sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutologin -bool YES

I am having this issue with Mobile accounts on 10.14.0 - 10.14.2. Only with MacBook pro's & t2 chip

Just ran into this one myself with macOS 10.14.3 so looks like its still around:

Model: MacBookPro14,2
Processor: Intel Core i5
RAM: 8GB
Storage: 250 SSD with FileVault
Accounts:
Local
Mobile

What did i try to solve it:
- Reset PRAM
- SafeBoot (account logins possible)

This was caused by the password expiration prompt.

Darn.. we do have users (AD Mobile accounts) reporting in that when they upgraded to Big Sur, and trying to login a Password Change dialog appears so;

• Big Sur upgrade has finished
• Login Window appears and users fills in credentials and a Password Change dialog appears in Login Window, which does not accept anything
• After shutdown/reboot FileVault window -> accepts password -> Password change dialogs appears again.

Tried a lot like logging in with other local admin user and changing password for affected user, triggering password changes from AD, nothing helped except.

sudo defaults write /Library/Preferences/com.apple.loginwindow PasswordExpirationDays 0

@ClassicII Not sure if you had any MacAdmins reporting this in again, but if so the workaround from High Sierra -> Mojave should work.

@txhaflaire We have the exact same issue after Big Sur upgrade with our mobile accounts but running: sudo defaults write /Library/Preferences/com.apple.loginwindow PasswordExpirationDays 0
does not work; any other ideas?

@skumar check your existing config profiles and then the passcode payloads, i removed some of them where force password change was checked.

@txhaflaire Did that already; but no luck.
Note: when i am on the AD network the password change prompt does not appear.. its just when i am offline.