Login Window: Name and Password Text Fields odd behavior:

JeyT
New Contributor III

I am just trying to set the login window to "name and password text fields" using a Config Profile, Login Window payload. We don't want to have a list of accounts in the login window but prefer the user to enter their user ID and PW. It seems to work sporadically. It would seem when the mac reboots, I only get the one standard user listed (see pic)?0ee02ef40fd44ea5a357b9713e416d59
. When I log in with that account, then log off, the login window appears how the config profile is set "name and password text fields" Not sure why it's going back and forth. We had originally had the default config profileset to "List" but have since switched to the "Name and Password Text Fields. tested on 3 macs.
1 sierra mac is going back and forth. 2 mohave macs, one working correctly, the other going back and forth too. Thanks

7 REPLIES 7

tdclark
Contributor

Are you using FileVault? This looks like a FV login window, which is what it is supposed to look like!

JeyT
New Contributor III

We sure are using FV. So if I have FV enabled and switch to the "Name and Password Text Fields", it will only show FV enabled users? I assume that's what's occurring here? Still pretty new to Jamf, so learning as we go. Thanks for the reply.

seraphina
Contributor II

Yes, this list will only show users that are able to decrypt the drive. You will need to generate a SecureToken for each additional user you want to be able to decrypt at startup, but you need to know their password.

gachowski
Valued Contributor II

And, Apple has been asked to change this since FV was released. So that kinda implies that they aren't going to change it...

: )

C

JeyT
New Contributor III

OK now I am starting to wrap my head around this. We are enabling FV with "login" for the payload so when the main standard user of the Mac logs in, they will enable FV and have the ability to login and unlock the disk. However many times these macs become shared and accounts are added to the Macs. So I am really kind of stuck with Macs that are shared? I would have to manually enable each user in System Prefs > Security and have them enter their password? I do see some scripting options here too, but you still need to know the new users password. Any commuinication at all of users passwords is strictly not allowed by our security department. What about the Jamf management account that is created and hidden on all our Macs? Thanks

sshort
Valued Contributor

@tavaresj This is standard macOS behavior if disk encryption is enabled. If your goal is to have a shared/lab machine, then you need to disable FileVault so that the first thing a user sees after turning on the Mac is your preferred username/password fields.

Enabling an EFI firmware password would prevent users from accessing the Recovery partition or making changes to the system config, and is another method of restricting some levels of system access if FileVault isn't enabled.

seraphina
Contributor II

@tavaresj

The jamf management account doesn't get a SecureToken generated automatically. I believe this has something to do with the account being created through a script/terminal. Apple is really big about USER CLICKS for some reason.

Check out this post on Rich Trouton's blog, maybe it can help you out here.