Unable to login to the Mac using either AD or local IDs

Khikoman
New Contributor II

Hi All,

We suddenly have few Macs, after restart/shutdown, user not able to login to their account.

All Macs are Filevault enable and users are default added into Filevault (we use AD – mobile account). Our local admin, is also Filevault user and disk owner.

But we can’t even login as our local admin. It just will then show a black screen and then will loop back to the login page.

We are able to temporarily fix this by reinstalling macOS (without erasing the disk).

Has anyone experienced the same issue?

There were no changes to any of our exsiting policies in JAMF.

We are also using McAfee as our endpoint security, including the encryption as well.

2 ACCEPTED SOLUTIONS

AJPinto
Honored Contributor II

Are you not able to use the recovery key from JAMF? It should work for your local account, the AD accounts using the recovery key will desync the users profile from AD as macOS forces a password change locally.

 

Some what related. Apple is very clear about getting away from Domain Binding and using local accounts. They Apple is no longer developing macOS with this work flow in mind. The FileVault Recovery Key work flow is one area that already does have issues with Mobile Accounts.

View solution in original post

AJPinto
Honored Contributor II

Move to using JAMF to enable FileVault. McAfee would be using a script to enable FileVault which is a fully deprecated process that will be retired soon, there may be a recovery key screwed from that but it depends on what McAfee is doing with that script. However, Apples spec for FileVault is to use a Configuration Profile from MDM to enable FileVault. If you want to minimize issues, do things they way Apple says to do them.

https://support.apple.com/guide/security/managing-filevault-sec8447f5049/web

 

As far as OS updates, its not possible to disable all software updates. Apple allows deferrals up to 90 days, that is the farthest you can block them. If you have OS update deferrals configured, no OS updates, even once you tell the Mac to install with JAMF will be able to install until the deferral date has passed.

https://support.apple.com/guide/security/managing-filevault-sec8447f5049/web

View solution in original post

4 REPLIES 4

AJPinto
Honored Contributor II

Are you not able to use the recovery key from JAMF? It should work for your local account, the AD accounts using the recovery key will desync the users profile from AD as macOS forces a password change locally.

 

Some what related. Apple is very clear about getting away from Domain Binding and using local accounts. They Apple is no longer developing macOS with this work flow in mind. The FileVault Recovery Key work flow is one area that already does have issues with Mobile Accounts.

Khikoman
New Contributor II

Hi,

The problem is that we are using McAfee as the one who handles disk encryption on the machine.

Since on our policy, we have disabled all software updates, as well as critical software updates. Is there a chance that the any critical updates will still try to force itself to install on the mac?

AJPinto
Honored Contributor II

Move to using JAMF to enable FileVault. McAfee would be using a script to enable FileVault which is a fully deprecated process that will be retired soon, there may be a recovery key screwed from that but it depends on what McAfee is doing with that script. However, Apples spec for FileVault is to use a Configuration Profile from MDM to enable FileVault. If you want to minimize issues, do things they way Apple says to do them.

https://support.apple.com/guide/security/managing-filevault-sec8447f5049/web

 

As far as OS updates, its not possible to disable all software updates. Apple allows deferrals up to 90 days, that is the farthest you can block them. If you have OS update deferrals configured, no OS updates, even once you tell the Mac to install with JAMF will be able to install until the deferral date has passed.

https://support.apple.com/guide/security/managing-filevault-sec8447f5049/web

Khikoman
New Contributor II

I am now looking into using the JAMF Protect, that way, we can drop McAfee altogether. :-)