Auto Login with FileVault Enabled

TyShane
New Contributor

Hello Everyone,

I am looking for a JAMF solution that can auto-login a local user after an unexpected reboot. I've seen this post and unsure if it will be useful or if it is a similar solution to what I am looking for. FileVault is also enabled and I've been told that this is not possible with FV enabled. 

For Context: I am using Mac Minis that are managed by JAMF, they have a hardwired connection 24/7 and are expected to run 24/7 as digital signage. The Mac Mini's will turn off occasionally without a reason after looking into logs. If JAMF Pro has a solution to run a script and push it to a device at the log-in screen, that would resolve the issue.

 

Whatever information you can give me helps! Thank you in advanced!

11 REPLIES 11

sdagley
Esteemed Contributor II

@TyShane It's not possible with FileVault enabled. When a Mac with VF enabled boots it's not booting directly into macOS. It's booting into a specialized partition that's waiting for the key needed to unlock the drive before it can boot into macOS. You have to enter that key on a locally connected keyboard, or what the Mac thinks is a keyboard, to unlock the drive.

You could connect the minis to a networked KVM for that (that's what I'm using for my remote mini)

talkingmoose
Moderator
Moderator

Is there a reason these minis are encrypted? For their purpose, it doesn’t sound like they’d be storing sensitive data.

scottb
Honored Contributor

I agree with @talkingmoose.. If they are sitting somewhere in the open, I doubt they've got sensitive data on them.

Also, if you turn off FileVault, you can set the Mac to startup at a certain time every day and auto-login.  Problems solved...

TyShane
New Contributor

@sdagley Tell me more about this networked KVM, my second idea was to have some type of hardware connected to the mini to check if it is not logged in and then act as a local keyboard to enter credentials.

As for the reason of why FV is still enabled, the Mini is hardwired to the network 24/7. Which if FV was disabled that would make things less secure if the mini has access to the overall network. From a security stand point, this network cant be comprised in any way if FV is disabled. Im no expert when it comes to what is accessible via networks, but it is for overall security.

sdagley
Esteemed Contributor II

@TyShane I didn't have anything to do with the selection or setup, but the KVM my remote Mac mini is connected to is this: Raritan Dominion KX III

FileVault encryption is only useful before the macOS has booted. It protects data at rest on the disk.

Once you’ve booted and logged in, disk encryption isn’t helping you. You’ve already unlocked FileVault and the strength of your security now depends on the strength of the password of the logged in account.

mm2270
Legendary Contributor III

I would strongly suggest you consider the advice offered by @talkingmoose and others here, that FileVault should probably not be needed on these minis. As stated, FileVault is doing absolutely nothing to protect your network, because once the device is booted up and connects to the network, there is no encryption in place. It only protects the internal drive from being accessed from a shutdown/restart if the device is stolen or whatnot.

Plus, correct me if I'm not understanding, but you're basically asking how to make these less secure by having them auto log in after a boot up, no? In the world of finance where I work, this would be unfathomable to even consider. But, as these are just kiosks, it's probably an acceptable compromise. My suggestion would be to remove FV2, and optionally, enable auto login for the primary account, and this won't be a problem anymore.

sdagley
Esteemed Contributor II

Any options for a non-Mac mini signage system? I haven't tried any for this myself, but I understand the Apple TV is often utilized for digital signage, and they can be managed via Jamf Pro.

scottb
Honored Contributor

We used to (when I was in an office with demo Macs) have network drops that were heavily limited.  Based on your setup, it sure seems like you can make other changes, and make the Mac more reliable for its purpose.

I did exactly what you're doing in lobbies for customers to watch while waiting, etc.  I would look at ways to limit the Mac while not locking it down, per se.

Jaykrishna1
Contributor II

Unfortunately, auto-login for a local user is not possible with FileVault enabled. This is due to the security features built into FileVault, which require a user to enter their password to unlock the encrypted disk before logging in.

However, there is a workaround to achieve a similar result using a launch agent or launch daemon. A launch agent or launch daemon is a system-level process that launches automatically and runs in the background. You can use a launch agent or launch daemon to run a script that logs in the user automatically after an unexpected reboot.

Here is a basic overview of how you can create a launch agent or launch daemon to auto-login a user:

  1. Create a script that logs in the user automatically.
  2. Save the script in a location that is accessible to the launch agent or launch daemon.
  3. Create a property list file (plist) that specifies the launch agent or launch daemon configuration, including the path to the script.
  4. Save the plist file in the appropriate location for launch agents or launch daemons.
  5. Use JAMF Pro to distribute the plist file to the Mac Mini devices.

Note that this solution is intended for use in a controlled environment, such as a digital signage setup, and may not be suitable for other use cases where security is a concern. Additionally, you should be familiar with the Mac command-line and scripting to implement this solution.

sdagley
Esteemed Contributor II

@Jaykrishna1 Your proposed solution won't work because LaunchDaemons are not triggered until a user logs in when FileVault is enabled. The FileVault login screen isn't actually booted into macOS proper, it's a pre-boot that's just responsible for handling the user entry of the credentials for a user with permission to unlock the drive.

It is possible to re-boot and unlock an FV enabled Mac using the fdesetup command with the authrestart verb, but that's not going to be useful for unplanned restarts.