Jamf Connect and File Vault

Jana175
New Contributor

Hi, we have recently started using Jamf connect for our Mac Users. We are using a test user right now. 

I have noticed that, when you restart the computer it will ask for a username and password, and it will not show the Microsoft Entra login screen. It will show the Microsoft Entra Login screen once the user signs out, but if the user restarts the computer it will show the filevault login screen. 

So the issue with this is, we have a password policy for our end users to change their passwords every 90 days. So it's possible they will change their password and will not be able to login the mac unless they use their old password. Or they might forget their password altogether then I am not sure how we will be able to get back in on the Mac. 

 

Is there a way to disable the file vault login screen so the user will just see the Microsoft Entra login screen even when they restart the computer? The Microsoft Entra login screen only appears when the user signs out instead of shutting off the computer. 

6 REPLIES 6

Tribruin
Valued Contributor II

You can not disable the FileVault screen without disabling FileVault. This about it this way, the computer needs to retrieve the encryption key prior to booting the O/S. Until the O/S is loaded, Jamf Connect won't be running. 

You have a few options, none of them a great solution:

1) Disable FileVault so the user only sees the Jamf Connect login. Not recommended

2) Have your users see dual login screens. They have to login to FileVault and then login again using their Entra ID. 

3) Disable Jamf Connect Login and/or enable Passthrough authentication so that the user only needs to login to the FileVault screen. They will never see the Entra ID login.  This is what I do at my org. 

For 2 & 3, if they user's password is changed while they are logged out of their computer, they password will not be updated until they login again and sync their passwords. 

I would encourage your users to make their password changes through Jamf Connect and not use a website. That way they always are updating both their local password and Entra password at the same time. 

If they do have their password changes outside of Jamf Connect and can't remember their local password, have a process to give them the FV PRK and use it to do a password change in recovery. 

bbernert
New Contributor II

For the option 2: how do you configure that? 

If i set the key of passthrough auth to false, it still logs in with one login attempt (Filevault screen) but I wan't the user to see the second login window.

you'll need the following in your com.jamf.connect.login profile 
<key>DenyLocal</key> <true/>

(may want to consider adding the following though if you want people to still be able to do local only if no network like on a plane, etc)
<key>LocalFallback</key> <true/>

 

So we originally have our configured so it shows both FV and JC screen, now we want to only show 1 screen, so your option #3. How do we go about making this change?

Tribruin
Valued Contributor II

Run

authchanger -reset

from a policy to reset the login window to the macOS default. 

What is the disadvantage of only requiring a the FV login password after a restart? I feel the dual login screens are cumbersome and would like to remove the JamF Connect SSO sign in from appearing if there is no downside to doing so...