After installing MDM profile and turning ON FileVault along with enabling login screen to show username and password, I am not able to log in after reboot as it only allows me to click on Local Admin users. However, after I login with local admin user and logout, I am able to see the login screen that shows username and password. Is this a limitation from Apple ?
Then, what will happen for the machine that is connect to AD and we have random network user who want to login on that machine.
Any alternative or solution?
Question
Once FileVault is enabled and connecting Mac machine in AD, how to allow multiple network user to login
+1
+20Hi, @udhy
This is expected behaviour. Your boot volume aka "Macintosh HD" is protected to let only FileVault enabled users to Unlock/Decrypt the disk and macOS gets loaded.
I assume this is a shared device or an iMac, i recommend to get a physical lock for your device to prevent it leaves the office.
As you describe, you are authenticated with your local admin user, and if you then press log-out, the Network Login Window will show up, which allows you to log-in with network users (if enabled and bound to AD) because at that moment the volume is already unlocked.
+15@udhy If you want some minimal level of preboot restrictions you can enable a firmware password to prevent users from accessing the recovery partition or booting from an external volume. A lot of shared/lab environments are setup that way b/c of FileVault behavior.
+20as @sshort says that is an option to make it even more secure! I do recommend to set a EFI / Firmware password also on Filevault enabled macOS devices.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.