Enable FileVault (MacOS Catalina) breaks Azure AD jamfConnect

robbo007
New Contributor III

Hi,
I've have JamfConenct working with Azure AD but as soon as I deploy a policy to enable FileVault and escrow keys to Jamf server to the machines it breaks AD Azure connectivity. A reboot show the standard mac login screen and if I logoff the user I get a broken Azure AD screen.

I've tried deploying FileValt first then JamfConnect but same problems.

Any ideas? Regards,

1 ACCEPTED SOLUTION

Tribruin
Valued Contributor
Valued Contributor

If you logout you should see the Jamf Connect Login screen. If not, something is broken with the JCL. While logged in try going in to terminal and running /usr/bin/local/authchanger -reset -JamfConnect and see if that brings the Jamf Connect Login screen back.

If you want to ensure the user sees the JCL screen after initial boot and/or restart, may sure you set the DenyLocal setting to true in your Jamf Connect Login profile. With that the user experience will be FileVault login -> Azure Login -> Local password validation.

View solution in original post

5 REPLIES 5

sdagley
Honored Contributor II

@robbo007 Enabling FileVault will always cause the display of the FileVault login screen on macOS Catalina since you're not booting into macOS after that, but booting into an intermediate stage where FileVault will display the accounts enabled to unlock the drive, and you have to authenticate with one of those before proceeding to boot macOS.

robbo007
New Contributor III

ahh ok, so whats the best practice for using Azure AD authentication and FileVault then? Because if I do a logout once authenticated with FileVault I can't then authenticate with Azure as integration seems broken.

Tribruin
Valued Contributor
Valued Contributor

If you logout you should see the Jamf Connect Login screen. If not, something is broken with the JCL. While logged in try going in to terminal and running /usr/bin/local/authchanger -reset -JamfConnect and see if that brings the Jamf Connect Login screen back.

If you want to ensure the user sees the JCL screen after initial boot and/or restart, may sure you set the DenyLocal setting to true in your Jamf Connect Login profile. With that the user experience will be FileVault login -> Azure Login -> Local password validation.

robbo007
New Contributor III

ok thanks. I'll try that. Is that the best practice if your using JamfConnect with Azure? FileVault login -> Azure Login -> Local password validation?

robbo007
New Contributor III

Ok that works great . Thanks..