FileVault Jamf Connect Azure MFA multiple logins

barrycuda
New Contributor II

Still trying to wrap my head around how this works.  I have an enrollment process in place where I can send a user new in the box mac and it pretty much sets up itself, we have to have FileVault encryption and we are using Azure with MFA.  After everything is completed if the user reboots they are presented with the FileVault login, then it brings up the Jamf Connect login to Azure which will prompt for MFA.  Is that the expected behavior?  

1 ACCEPTED SOLUTION

AJPinto
Honored Contributor II

Depending on your MacOS, JAMF Connect and Azure configurations, yes. This seems to be working as it should be for best practices.

  • If you are following JAMF's recommendations for JAMF Connect you have disabled FileVault authorizing macOS login (plist xml is below). This will require a user to log in to both FileVault and MacOS individually.
    • If you do not disable this, FileVault will bypass JAMF Connect and IDP authentication when it clears the login keychain.
    • FileVault and MacOS's login screen are two different things, In out of box cases FileVault can pass a login token to MacOS to allow a user to skip the macOS login screen. 
  • The MFA part is configured in Azure, I'd wager your Azure conditional access is set to require MFA.

 

 

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> 
<plist version="1.0">  
  <dict>  
    <key>DisableFDEAutoLogin</key>  
    <true/>  
  </dict> 
</plist>

 

View solution in original post

1 REPLY 1

AJPinto
Honored Contributor II

Depending on your MacOS, JAMF Connect and Azure configurations, yes. This seems to be working as it should be for best practices.

  • If you are following JAMF's recommendations for JAMF Connect you have disabled FileVault authorizing macOS login (plist xml is below). This will require a user to log in to both FileVault and MacOS individually.
    • If you do not disable this, FileVault will bypass JAMF Connect and IDP authentication when it clears the login keychain.
    • FileVault and MacOS's login screen are two different things, In out of box cases FileVault can pass a login token to MacOS to allow a user to skip the macOS login screen. 
  • The MFA part is configured in Azure, I'd wager your Azure conditional access is set to require MFA.

 

 

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> 
<plist version="1.0">  
  <dict>  
    <key>DisableFDEAutoLogin</key>  
    <true/>  
  </dict> 
</plist>