02-03-2022 08:02 AM - edited 02-03-2022 09:36 AM
Hello All!
We are getting FileVault set up on machines within our company, however, the policy banner is not populating or showing up on the FileVault login screen. I have tried removing/adding the policy configuration profile that sets the policy banner, changing the banner within Terminal as well as using the "diskutil apfs updatepreboot /" command. My FileVault screen is still doesnt show the custom banner. I would like to see something similar to the below image (found online):
Any thoughts or ideas on what I may be doing wrong? Or is it even an option anymore?
Versions
Jamf Pro 10.35
Big Sur 11.6.3
Posted on 02-03-2022 08:56 AM
Do you really need to create a custom profile / policy for this? couldnt you use the "login window" payload in configuration profiles and add a banner message?
That should show there
Posted on 02-03-2022 09:32 AM
Sorry about that, I am using a configuration profile to deploy this banner. I have removed and added it back but the FileVault login screen still doesn't have the custom banner.
Posted on 02-03-2022 10:00 AM
is the setting actully applying on the machine? if you open "security and privacy" > General
unlock the screen is "show a message when the screen is locked" greyed out, or can you select the "set lock message" buttton, if its greyed, try applying the settings on another OS like monterary to rule out the profiles or OS. If that setting is editable it means its not apply on the machine.
Posted on 02-03-2022 10:06 AM
The option to "show a message when the screen is locked out" is greyed out. I can lock my machine and I see it on the login screen. So I know it's being applied but it doesn't seem like it's being fed into FileVault's login screen. Shows up on the regular sign-in screen.
Posted on 02-04-2022 06:56 AM
I have noticed this with Apple Silicon Macs with macOS Big Sur and Monterey if the Mac has FileVault turned on. If the user logs out or the screen locks, the message does show up. I have not had a chance to address it yet since I don't have a spare Apple Silicon Mac to test with.
02-08-2022 09:18 AM - edited 02-08-2022 09:23 AM
Seems to be a misunderstanding of Filevault vs login screen. When you reboot or start-up a Filevault enabled Mac, the first screen encountered is actually the Filevault unlock screen. If the username and password entered there match that of a local filevault enabled account, then the actual log-in screen is bypassed, taking the user directly into their account/desktop. If you have ever seen where the Filevault and local password is out of sync, then you will see where the FV password is used on the first screen, then the user will be presented with an actual account log-in screen (where you would see your log-in screen message) to enter a different password since Filevault and the local account are out of sync, probably from changing the password incorrectly (happens more with AD bound Macs). Here you would see the log-in screen message you are trying to display. If you log-out of the Mac, not restart, then you will be presented with an account log-in screen to get back into the account and the Filevault unlock screen will not be used since Filevault is already unlocked, unless the Mac is configured to lock Filevault at log-out. So to make a long stort short, you cannot configure a message to be displayed at the Filevault unlock screen, only the account log-in screen. So unless Apple changes the ability to configure a Filevault unlock screen message, which would actually have to be stored in Firmware I believe, there is no way that a log-in message will work with Filevault enabled Macs.
02-08-2022 09:27 AM - edited 02-08-2022 09:38 AM
Ever since I started pushing out a configuration profile to display information on the login screen, this information has always shown up on the FileVault unlock screen. I noticed that this stopped showing up on the FileVault login screen only recently, and I believe it happens with Apple Silicon Macs. I don't have one handy to test with, but it is something I have observed on more than one occasion. All of the most recent Macs I have personally worked on have been Apple Silicon. My Intel Macs, including the two that I own, all show what ever I defined in the profile on the lock screen, login screen, and FileVault unlock screen. This is all with just one configuration profile. The information on the FileVault unlock screen is identical to what shows on the login and lock screens, so the only logical conclusion is that FileVault must be reading this setting. No firmware change is needed. It's just a software setting, like the accounts that are authorized to unlock the system at start up.
Posted on 02-08-2022 09:59 AM
Just to confirm, we have Apple M1 machines with filevault enabled on the latest version of Monterey and the banner message works fine with the login window payload enabled. It appears above the shutdown, restart and sleep buttons.
One thing you might want to try is disabling filevault on one of the effected machines and then renabling it. I know there are issues with selecting the correct keyboard layout on filvevault if it wasnt selected at the time of encryption. i wonder if it could be the same here for this setting. We apply the settings first and filevault is enabled by the first account login using jamf connect. So your processes may vary for testing.
Posted on 02-09-2022 04:03 AM
I can confirm the feature works on M1 Macs and that it is possible to change the profile after FileVault was enabled. The only restriction i ran about is that only the first line of text is displayed.
Our Macs are enrolled via prestage enrollment. They immediatey receive a config profile that displays contact information and Mac serial number on the screen. Filevault is enabed when the first user logs into the Mac.
Some time after the enrollment the Computer Name changes. After this change, a nother Profile is pushed to the client changing the Login screen message.