Posted on 12-06-2021 09:23 AM
I have 2 users enabled with FileVault 2 but only one of them shows up when the computer is started/restarted !!!
system is Monterey
why is only 1 of the 2 users available?
the user that doesn't show up is hidden with the following script so it doesn't show up in the regular login window, but I don't see how this would effect the FV2 screen. I don't see this on pre-Monterey computers that run this script (if it is the cause of the script).
#!/bin/sh
########################### Hide from login screen
# Hide a User Account from the Login Screen of OS X
# dscl . create /Users/joey IsHidden 1
defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array-add joey
# Unhide a User Account from the Login Screen of OS X
# dscl . create /Users/joey IsHidden 0
# defaults delete /Library/Preferences/com.apple.loginwindow HiddenUsersList
exit $?
Posted on 12-06-2021 11:00 AM
Have you checked if the user missing from the FV window has a secure token? Users without secure token won't show up there
Posted on 12-06-2021 11:42 AM
how do I check that? It was the original account I created on the MacBook Pro so shouldn't it have a secure token?
in JAMF it's listed as one of the 2 enabled users
Posted on 12-06-2021 11:45 AM
Yes, the initial account should have a securetoken. There was a bug with macOS 12.0 in certain instances would not grant any users secure token. If this isn't a new 14" or 16" computer, then yes the initial user should have gotten a securetoken
You can check with the following command though:
sysadminctl -secureTokenStatus $username
Posted on 12-06-2021 11:46 AM
I ran the following command and it said that the secure token for the specified user IS ENABLED
sysadminctl interactive -secureTokenStatus USER_NAME
Posted on 12-06-2021 12:45 PM
@ljcacioppo would this command be the issue? it's not an issue with Big Sur and the other macOS's
defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array-add joey
Posted on 12-06-2021 12:48 PM
I am not certain. I haven't used the hidden users list array at all. I know that hides from the login window thouhg
I know Monterey on m1 I have just a username and password field now, so I wonder if that's a new change for Monterey in general, allowing hidden users there
Posted on 12-09-2021 07:21 AM
This article may be beneficial: https://derflounder.wordpress.com/2018/01/20/secure-token-and-filevault-on-apple-file-system/
Accounts created with CLI utilities aren't granted a SecureToken and can't decrypt a FV2 volume, though I am not sure if this is a Monterey bug since you said the account does have a SecureToken.
Posted on 12-09-2021 12:58 PM
@seraphina the 'joey' account was not created via CLI It was created as the first account when setting up the first user and is an administrator account and has a secure token. Afterwards i ran that script to hide the account from showing up in the login window. Now it also doesn't even show up in the FV2 login window.
I wiped the computer and set it back up again and this time did not run that hide 'joey' account from login window and the account now does show up in the FV2 login window when the computer starts up.
Prior to Monterey that script was fine when run on the other macOS's. Is there something in that one line that is not compatible with Monterey
defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array-add joey
Posted on 12-09-2021 02:35 PM
@tcandelaI think I found your solution
I created my account with command line as a proof of concept but you can modify this as you see fit
Create the account with the necessary attributes and hide it
Verify the account can decrypt the volume (the final entry is the UUID of my test account per Directory Utility)
Finish this off by running the following commands
% defaults write /Library/Preferences/com.apple.loginwindow.plist HiddenUsersList -array-add username
% sudo diskutil apfs updatePreboot /
Reboot and you should see your hidden account in the FV2 decrypt list without it being present on the login window.