Posted on 10-28-2014 09:25 AM
Hi JAMF community
I have a question about the login screen for FV2 I have been able to modify it with text etc but have not been able to get this to work on a Mavericks machine to get the FULLNAME option to come across, it still has the user icon, I am looking to do this for added security.
So I am doing this:
sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "Property of Name of Company and contact Tele" ---> Working
sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool false -----> Not Working
even if I run either of these commands afterwards:
sudo touch /System/Library/PrivateFrameworks/EFILogin.framework/Resources/EFIResourceBuilder.bundle/Contents/Resources - preferred sync method recommended by Apple (as i have seen on other posts)
(sudo) rm /System/Library/Caches/com.apple.corestorage/EFILoginLocalizations/*.efires - not recommended but still not working anyway.
Anyone have any ideas as to where I am going wrong with this?
Thanks in advance.
Posted on 10-28-2014 09:37 AM
Sorry have also tried this this way:
sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true
and also does not work, have also substituted the false and true for CAPS and that didn't work either...
Posted on 10-28-2014 09:37 AM
Not possible to do this when FV2 is enabled.
I assume since you're asking how to do this, you're as bothered by the fact that the username shows in plain sight as many of us. I've seen this since day one as a big security issue.
We submitted a request to Apple years ago to have this changed or give us an option to change it, but nothing has come of it yet, so we're stuck with the user icons at the FV2 login screen for now.
Posted on 10-28-2014 09:52 AM
Yes, for sure, half the battle of getting into the machine is already been provided, now they just have to guess a password. As for most users, they do not always choose the most taxing of passwords for security whereas if you had to guess the username on top of this it would make it way more difficult. I have seen threads where people have been trying to do this such as this one:
https://jamfnation.jamfsoftware.com/discussion.html?id=7531
But alas.... And this machine before I enabled FV2 had the name and login password options selected so that does not help either....
Posted on 10-28-2014 09:57 AM
Trust me, it does not work and there isn't currently a way to make it work. If there is and you find a way, please do post on how. This has been a gripe of mine for a while now.
On another thread, rtrouton politely mentioned that this is not as much Apple being stubborn as it is lack of features in the current EFi where FV2 lives. Apparently its not easy to make this change happen in the EFI space. While I logically understand that, part of me feels that Apple has the engineering chops to find a way to make it happen (if they want to), but isn't especially bothered about it apparently.
Like you I agree that knowing the username is half the battle and defeats some of the security FV2 provides in the first place. I sure wish Apple would come up with a way to change this.
Posted on 10-28-2014 10:16 AM
If I find anything I will definitely post.
Yes I do wish Apple would sort this, makes little sense to have such security when you by-pass it by providing the username that has access to this "highly secure machine" you can log with right from the get go!
Posted on 10-28-2014 10:46 AM
@Treger, I've been fooling around with modifying the FV2 Login UI, but be careful. You are close to what it needs to make the change.
As you mentioned, the location for all information for the EFI is /usr/standalone/i386/EfiLoginUI.
Now there was a guy on superuser.com that created a tool to read these files. He didn't post, maybe you can get ahold of him to release his tool. Here is his link http://superuser.com/questions/362788/how-do-i-change-the-filevault-login-icon-on-osx-lion
Also, what we have been toying with is changing the logo's on the FV2 Login page.
After we changed the icons in the mentioned post above, we ran a "fdesetup sync" which then copied the files over to the partition. This seems to work, but sometimes makes the ui buggy, you have to make sure your images are within the boundries of the ui.
Hope you get it workin!
Posted on 10-28-2014 10:55 AM
I think Rich's thread said that he had a ticket open with Apple about this issue, Time for Apple to fix this issue!!!!!
Posted on 10-28-2014 10:55 AM
According to @rtrouton there is no way to change that FV2 login screen.
Posted on 10-28-2014 11:05 AM
@GaToRAiD Thanks bud, I will give that a go, I am not too fussed about the logo, its just the usernames already there that concern me, I have found that modifying the login/splash screen always produces a "lag" effect for logging in but in this case I am will into make the sacrifice of a login lag to have a screen where a potential "data thief" does not have half the job done for them by having a username provided for them to just try crack a password....
Posted on 10-28-2014 11:08 AM
The last time I spoke with in person with Apple's engineers about this issue (two WWDCs ago), the answer I got back from them was that providing username and password blanks was "impossible". If you want to see if Apple can fix this anyway, the place to file that feature request is at the following location:
Posted on 10-28-2014 11:14 AM
@rtrouton Thanks, I will try submit a feature request, am I being pedantic here or have other people got the same worry? I just feel that if you have the need to encrypt surely you are looking to be secure, being secure and providing a username for someone to have a crack at with passwords is not seemingly so secure is it? Especially if you look at posts about passwords and how many people have more or less the same one etc, the other point being is if it is not a regular password, having a users name and possibly a picture of them, you can track them down with social networks and then acquire information to try other password combinations, i.e. names of family members, relevant dates etc...
Maybe I am just going over the top?
Posted on 10-28-2014 11:24 AM
Thanks Rich.
We still have an open AppleCare case with them on it, but the status has been at "Pending: Feature Request with Engineers" for about 2 years now and no real movement. Two WWDCs ago was a while ago now, so I still hold a glimmer of hope Apple is working on finding a way to do it.
Posted on 10-28-2014 12:08 PM
I don't think your worries are misplaced, I just think that this is a hard problem for Apple to solve.
Posted on 10-28-2014 12:09 PM
it shows the long name not the user name. chances are if they stole the computer they got the laptop bag it was in which likely has a business card or two, and quite possibly the password written down anyway. If its stolen, lock/wipe it with MDM and its not an issue.
Personally I hate the little picture just because to login to a computer you should have to type stuff. Remember Apple knows much more about what people want to do, like reverse mouse scrolling than the users themselves do though so, some things you file a bug on and learn to live with it.