Defer not working...El Capitan Upgrade issue

It sounds like you have FileVault 2's automatic login process disabled on Yosemite, but you don't have it disabled on El Capitan. Here's Apple's KBase on how you can disable automatic login for FileVault-enabled accounts:

https://support.apple.com/HT202842

Also, are these Macs already encrypted? If they are, that's why fdesetup's -defer option is not working like you expect it to. An important thing to keep in mind about the -defer option is that it enables one single user account at the time of turning on FileVault 2 encryption. The -defer option does not enable multiple user accounts and cannot be used to enable accounts once FileVault 2 encryption has been turned on.

If I follow you correctly, you want FV2 to wait for a user to input a password. Once the fv2 password is correctly enter, continue with the OS bootup, but stop short of loading the desktop to allow a different user account and password. If that is the case, you want to set the FDEAuotLogin value to be YES.

Here's is a script from @rtrouton that can be used to set the value.

#!/bin/bash

# REF:  https://github.com/rtrouton/rtrouton_scripts/blob/master/rtrouton_scripts/Casper_Scripts/self_service_os_install/elcapitan/self_service_elcapitan_os_install.sh

osvers=$(sw_vers -productVersion | awk -F. '{print $2}')

   # Checking for FileVault 2 encryption. If found, set FileVault 2's automatic login to
   # be disabled. 
   #
   # The reason to do this is that when upgrading a FileVault2 enabled Mac to 10.10, 
   # automatic login should  be disabled  when installing additional packages at first boot. 
   # If automatic login is not disabled, the additional packages will be skipped over.

   if [[ ${osvers} -eq 7 ]]; then
    ENCRYPTION=`diskutil cs list | grep -E "Encryption Type" | sed -e's/|//' | awk '{print $3}'`
       if [ "$ENCRYPTION" = "AES-XTS" ]; then
           echo "FileVault 2 is enabled. Enabling FDEAutoLogin."
           defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES
       else
           echo "FileVault 2 is not enabled."
       fi
   fi

   if [[ ${osvers} -ge 8 ]]; then
       FDE=`fdesetup status | grep "Off"`
       if [ "$FDE" = "" ]; then
           echo "FileVault 2 is enabled. Enabling FDEAutoLogin."
           defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES
       else
           echo "FileVault 2 is not enabled."
       fi
   fi

exit 0

@rtrouton I'll check the settings. But I don't think we have automatic login in with El Capitan, since it still required the user to provide the password for the initial account. But I'll double check it. Would be odd that got turned on for some reason.

And yes, all these machines are already encrypted. Figured I could just add the user account to the FV2 users so they would see that at the boot up window and login with that. Is there a way to add FV2 users after the machine is encrpyted?

Just ran a little test on El Capitan machine. I did a:
defaults read /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin

And it wasn't able to find the variables. So I did the following command:
defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES

Then I did the defaults read /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin again and got: 1

So then I rebooted. Boot window came up with the roles. I selected my role and provided it password. And it still logged me into that account instead of the login window.

@roiegat,

FileVault 2's automatic login process is the default behavior. By default, a FileVault 2-enabled account logs in at the pre-boot login screen and is then taken straight into their account. There is not a second login at the OS login window unless a setting is put in place to disable the FileVault automatic login process.

You can add users to a FileVault 2-encrypted Mac, but it's a more involved process. I have it detailed here at the link below:

https://derflounder.wordpress.com/2015/12/20/managing-el-capitans-filevault-2-with-fdesetup/ (see the "Adding Additional Users After Filevault 2 Has Been Enabled" section)

@rtrouton

It makes sense that it's the FV2 default behavior, but I wonder why it worked on Yosemite. Will keep looking into it.

I checked out the link which is amazing amount of information. Quick question though, is there defer method for -usertoadd?

You guys have given me a lot to think about. I appreciate it.

@roiegat, there is not a -defer option for fdesetup's add function. The -defer option cannot be used to enable accounts once FileVault 2 encryption has been turned on.

So did a lot of digging around to figure out why it worked in Yosemite and no El Capitan and found some stuff. Since I wasn't working here when the original method was created, wasn't sure why it worked.

So I started looking at all the FV2 scripts and packages and found something that is interesting. When the accounts were set up for the roles during the initial build, they omitted one part - the PrimaryGroupID. Becuase it was lacking this, it pretty much got past the FV, and then provided the login window.

Looking at the El Capitan machines, seems like the upgrade package didn't like that and added the PrimaryGroupID of 0 to both accounts. So that's why they were able to log in. Deleting the PrimaryGroupID account fixes the issue. At least for now....would like to redo the whole thing to make it a little more effiecient...but at least figured out the problem for now.