Help

FileVault screen not showing user

tcandela
Valued Contributor II

Posted on ‎12-06-2021 09:23 AM

I have 2 users enabled with FileVault 2 but only one of them shows up when the computer is started/restarted !!!

system is Monterey

why is only 1 of the 2 users available?

the user that doesn't show up is hidden with the following script so it doesn't show up in the regular login window, but I don't see how this would effect the FV2 screen. I don't see this on pre-Monterey computers that run this script (if it is the cause of the script).

 

#!/bin/sh

########################### Hide from login screen

# Hide a User Account from the Login Screen of OS X
# dscl . create /Users/joey IsHidden 1

defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array-add joey

# Unhide a User Account from the Login Screen of OS X
# dscl . create /Users/joey IsHidden 0
# defaults delete /Library/Preferences/com.apple.loginwindow HiddenUsersList

exit $?

0 Kudos
9 REPLIES 9

ljcacioppo
Contributor III

Posted on ‎12-06-2021 11:00 AM

Have you checked if the user missing from the FV window has a secure token? Users without secure token won't show up there

0 Kudos

tcandela
Valued Contributor II

Posted on ‎12-06-2021 11:42 AM

how do I check that?   It was the original account I created on the MacBook Pro so shouldn't it have a secure token?

in JAMF it's listed as one of the 2 enabled users

 

0 Kudos

ljcacioppo
Contributor III
In response to tcandela

Posted on ‎12-06-2021 11:45 AM

Yes, the initial account should have a securetoken. There was a bug with macOS 12.0 in certain instances would not grant any users secure token. If this isn't a new 14" or 16" computer, then yes the initial user should have gotten a securetoken 

You can check with the following command though:

sysadminctl -secureTokenStatus $username

0 Kudos

tcandela
Valued Contributor II

Posted on ‎12-06-2021 11:46 AM

I ran the following command and it said that the secure token for the specified user IS ENABLED

sysadminctl interactive -secureTokenStatus USER_NAME

0 Kudos

tcandela
Valued Contributor II

Posted on ‎12-06-2021 12:45 PM

@ljcacioppo  would this command be the issue?  it's not an issue with Big Sur and the other macOS's

defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array-add joey

0 Kudos

ljcacioppo
Contributor III
In response to tcandela

Posted on ‎12-06-2021 12:48 PM

I am not certain. I haven't used the hidden users list array at all. I know that hides from the login window thouhg

I know Monterey on m1 I have just a username and password field now, so I wonder if that's a new change for Monterey in general, allowing hidden users there

0 Kudos

seraphina
Contributor II

Posted on ‎12-09-2021 07:21 AM

This article may be beneficial: https://derflounder.wordpress.com/2018/01/20/secure-token-and-filevault-on-apple-file-system/

 

Accounts created with CLI utilities aren't granted a SecureToken and can't decrypt a FV2 volume, though I am not sure if this is a Monterey bug since you said the account does have a SecureToken.

0 Kudos

tcandela
Valued Contributor II

Posted on ‎12-09-2021 12:58 PM

@seraphina  the 'joey' account was not created via CLI   It was created as the first account when setting up the first user and is an administrator account and has a secure token.  Afterwards i ran that script to hide the account from showing up in the login window.  Now it also doesn't even show up in the FV2 login window.

I wiped the computer and set it back up again and this time did not run that hide 'joey' account from login window and the account now does show up in the FV2 login window when the computer starts up.

 

Prior to Monterey that script was fine when run on the other macOS's.   Is there something in that one line that is not compatible with Monterey

defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array-add joey

 

0 Kudos

seraphina
Contributor II
In response to tcandela

Posted on ‎12-09-2021 02:35 PM

@tcandelaI think I found your solution

 

I created my account with command line as a proof of concept but you can modify this as you see fit

 

Create the account with the necessary attributes and hide it

Verify the account can decrypt the volume (the final entry is the UUID of my test account per Directory Utility)

Finish this off by running the following commands

% defaults write /Library/Preferences/com.apple.loginwindow.plist HiddenUsersList -array-add username
% sudo diskutil apfs updatePreboot /

 

Reboot and you should see your hidden account in the FV2 decrypt list without it being present on the login window.

 

0 Kudos