macOS Mojave 10.14.0 (18A391) Upgrade; AD Mobile Accounts got stuck

ThijsX
Valued Contributor

Hi,

On 24 september when macOS Mojave 10.14.0 released i decided to upgrade my own MacBook Pro that was on 10.13.6.
The upgrade was successful and at that moment it seems to be there were no problems at all, until i shutdown my device and booted it up the day after.

When booting, seeing the log-in screen and trying to login with my Managed Mobile Account it will get stuck on the black screen with Apple logo endless.

On our devices we have a local account configured for IT support, and that account is working flawless.

What did i try to solve it;
- Reset PRAM
- Clear user templates
- Clear ~/Library/Preferences
- Rename ./mbr_cache ./mbr_cache-old
- Reinstall macOS Mojave from Recovery (installer 14.0.22)
- Reinstall macOS Mojave from Internet Recovery (installer 14.0.18)
- Disable FileVault 2
- Disk repair

Also grabbbed an other fresh 10.13.6 MacBook Pro, configured my account etc etc and kept it clean as possible, upgraded and same issue appears.

When booting to Safe Mode i am able to login.

Anyone tips or suggestions or having also this issue?

1 ACCEPTED SOLUTION

ThijsX
Valued Contributor

10.14.1 has been released and in this version it is fixed. The workaround is not necessary anymore.

View solution in original post

28 REPLIES 28

lrabotteau
New Contributor III

Hello @txhaflaire ,

On my side , I had some issue with Mobile Account with AD.

I've changed Mobile Account to Network Account with the GUI "Force Local Home Directory" from Jamf and works great.

Unbind => Rebind my Mac with the new settings and now can connect perfectly.

Maybe you can try this.

ThijsX
Valued Contributor

Hi ! @lrabotteau

Can you explain further about the transition from Mobile Account to Network Account, after that change are you still able to log-in when being away from network?

ThijsX
Valued Contributor

@bjorgvin Thanks for sharing; https://www.reddit.com/r/macsysadmin/comments/9iu5b4/mojave_expired_passwords/

ThijsX
Valued Contributor

Update; The workaround of changing password so the pop-up windows is not appearing works for now.

ClassicII
Contributor III

2 workarounds.

One is to just turn off the password change notification.

sudo defaults write /Library/Preferences/com.apple.loginwindow PasswordExpirationDays 0

The 2nd was to just login while off the network. Thanks to @andyincali for helping test this and @frogor for the idea to try it.

ThijsX
Valued Contributor

@ClassicII Thank you for sharing 🙂

sbirdsley
Contributor

Confirmed having this issue as well and suggested workaround (disabling password change notification) corrected problem however I don't see this as acceptable in our production environment long term as a fix

Hopefully this is something that will be fixed in 10.14.1. Does anyone know if this has been filed with Apple?

markposey
New Contributor

We noticed this issue after changing the user account to mobile and using filevault 2 to encrypt the hard drive. Once we enabled filevault 2, the laptop would get stuck during boot.

If you turn off filevault, the AD mobile account works just fine.

As a work around, you can create a local account, then encrypt the hard drive. Log out of the local account and log into the mobile account. This is super annoying, but the hard drive is encrypted and mobile account works just fine, once you get through the initial boot.

We duplicated this issue by:
1. Reimaging the laptop with Mojave
2. Setup mobile user account
3. Enable filevault
4. Stuck screen at 90% loading bar and cursor (force reboot)
5. Login with local account instead of mobile
6. Logout of local and log in with mobile

I would love any suggestions or visibility to fixing this issue.

Eric84
New Contributor II

Not letting Passwords fall under 30 days for expiration seems to work for us right now. We run a 365 day length on passwords and anyone over 30 days does not have the issue while anyone at 30 days or less does. Once these users under 30 days change their password, the issue goes away.

kowsar_ahmed
Contributor

Hi Guys,

Do you run the workaround prior to the upgrade?

Thanks

jwojda
Valued Contributor II

I ran into this as well when I got in to the office this morning. Thanks for confirming it's not an isolated problem.

ThijsX
Valued Contributor

Hi,

Yeah, i run the workaround prior the upgrade, you can also wait till 10.14.1. The issue is fixed in recent beta.

kowsar_ahmed
Contributor

thanks @txhaflaire tried that and that works fine!

Thanks for confirming the beta fixes it too.

tnielsen
Valued Contributor

Same issue.

ThijsX
Valued Contributor

10.14.1 has been released and in this version it is fixed. The workaround is not necessary anymore.

View solution in original post

ginakung
New Contributor III

@txhaflaire do you still find that it takes a long time to log in?

joscline
New Contributor II

I have seen this in 10.13.6, as well as 10.14.0/1 with AD mobile accounts. In every case disabling FDE auto login while booted in safe boot fixed this bug.

sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutologin -bool YES

LaMantia
New Contributor III

I am having this issue with Mobile accounts on 10.14.0 - 10.14.2. Only with MacBook pro's & t2 chip

macgecko2
New Contributor

Just ran into this one myself with macOS 10.14.3 so looks like its still around:

Model: MacBookPro14,2
Processor: Intel Core i5
RAM: 8GB
Storage: 250 SSD with FileVault
Accounts:
Local
Mobile

What did i try to solve it:
- Reset PRAM
- SafeBoot (account logins possible)

tnielsen
Valued Contributor

This was caused by the password expiration prompt.

ThijsX
Valued Contributor

Darn.. we do have users (AD Mobile accounts) reporting in that when they upgraded to Big Sur, and trying to login a Password Change dialog appears so;

  • Big Sur upgrade has finished
  • Login Window appears and users fills in credentials and a Password Change dialog appears in Login Window, which does not accept anything
  • After shutdown/reboot FileVault window -> accepts password -> Password change dialogs appears again.

Tried a lot like logging in with other local admin user and changing password for affected user, triggering password changes from AD, nothing helped except.

sudo defaults write /Library/Preferences/com.apple.loginwindow PasswordExpirationDays 0

ThijsX
Valued Contributor

@ClassicII Not sure if you had any MacAdmins reporting this in again, but if so the workaround from High Sierra -> Mojave should work.

skumar
New Contributor

@txhaflaire We have the exact same issue after Big Sur upgrade with our mobile accounts but running: sudo defaults write /Library/Preferences/com.apple.loginwindow PasswordExpirationDays 0
does not work; any other ideas?

ThijsX
Valued Contributor

@skumar check your existing config profiles and then the passcode payloads, i removed some of them where force password change was checked.

skumar
New Contributor

@txhaflaire Did that already; but no luck.
Note: when i am on the AD network the password change prompt does not appear.. its just when i am offline.

mpflugfelder
New Contributor

@txhaflaire We appear to be having the sane problem as @skumar. Upgrades to Big Sur and clean installs provoke a password change upon login with an AD bound user. Changing PasswordExpirationDays didn't seem to help here either.

Any other ideas?

mani2care
Contributor

is ther any way to sync the mac password and filevault password and AD network password without apps like No made or jamf connect

geoff_widdowson
Contributor II

@mani2care The Kerberos Extension, for catalina onwards will do it, but you need to convert the accounts to standard from mobile, as it wont sync with mobile accounts. I needed Apple to help set it up, but it's a one off cost unlike Jamf Connect.