- Jamf Nation Community
- Products
- Jamf Pro
- Re: Mobile account locked after turn on FileVault
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Mobile account locked after turn on FileVault
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-18-2021 12:08 AM
We're using mobile accounts (AD join) with FileVault.
In the last days we got an increasing number of issues with locked mobile accounts and we don't know how to reset this lock.
We see this with 10.14.6, 10.15.6, 11.5.1
The domain account is not locked, it's only the local cached mobile account. If a user wants to authenticate locally (without connectivity to the our corporate network), a message appears with something like "try again in x minutes later".
The number of minutes can be 15 min. but will increase, if the user still tries to enter a (wrong) password.
How can we reset this, so the local cached password of a Mobile account can be synced again with the current domain password?
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-18-2021 04:37 AM - edited 08-18-2021 04:38 AM
If you have your FileVault keys escrowed in JAMF you can just get one of those to get passed FileVault.
I have noticed if you change your PW in any location other than the Mac in question the FileVault password does not update. You can try using the old password. In our experiences if you reset a password on a different device (or the domain controller itself) the Mac has a random chance of desyncing the password and basically locking the user out of the mobile account. Rebuilding the profile is the only fix as you cannot log in to the account, nor reset the password using recovery since its mobile and not local. Apple REALLY does not want people using mobile accounts, and it feels actively makes it as poor of an experience as possible without breaking it all together. We also have to use mobile accounts which I am trying to get away from due to this reason among others.
May want to check your environment, I very highly doubt anything changed on the Macs in the past few days to cause this issue. Probably someone in your Active Directory team changing stuff without testing it on macOS.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-18-2021 02:25 PM
Mobile accounts with bound AD machines is so incredibly painful. It is strongly recommended (even by Apple) that you move away from this. We are slowly migrating our Mac users with mobile accounts to local accounts. Apple shared with me a script I've modified that helps with the migration process. Not sure it's for public consumption, but I'd be happy to share it privately (find me on MacAdmin slack).
I wish we could get away from binding our Macs to AD, but Box still requires it (as our Box admins have it set up; it's a domain-wide setting). So until Box goes away, we're still binding. But as we move our users to local accounts, much of the login pain points will go away; Mac users will be able to be off-network and still login, etc.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-10-2021 11:44 PM
Hey Damien
We are also currently experiencing of the mobile account locking after enabling filevault, we arre struggling to find a pattern with those that work and those that don't work, it is random.
Could you please supply me with the script you are referring to so we can test rather working on local accounts than mobile?
Thank you kindly
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-20-2021 01:38 PM
Indeed, using AD cached mobile accounts on Macs is asking for trouble these days. I've begun to fully move away from this over the last year and go with local accounts that match the AD username and deploy a profile to enable the Apple SSO plug-in for them to keep their password in sync. I also recommend to users that they change their password using the SSO plug-in, because as noted, if a password is changed in AD or on a Windows machine, etc., most times FileVault will not get the password sync, even in cases when using an AD account on the Mac. And 100% of the time when using a local account.
One of the big issues you run into here is that when a Mac is sitting at that FV2 login screen, there is no network connectivity. Even if you plug it into a wired connection. So a sync of the account password will NEVER happen at that screen, period. A sync can only occur after unlocking the Mac and getting into the account. But at point you already know how to unlock the machine, so...
For the few machines we still have on these cached mobile accounts, we have had issues where the user changed their password in our password portal or on a Windows machine, and didn't realize the sync never occurred. Days or even weeks later they reboot their Mac and then suddenly can't log in, because FV2 is asking for their old password and they don't remember it. I had a couple of people do the unfortunate thing of listening to the text that shows up under the login fields that says to power off their Mac and reboot into Recovery to do a password reset. That would be fine, except we also apply a firmware password and they get stuck at the firmware password screen. That's fun! *grumble* *grumble* I really wish there was some way to suppress that text that appears at the FV2 login screen. It's only good advice if it's your own personal computer. Very bad advice for a corporate owned and managed machine. You can unlock these using the individual Recovery key from Jamf and then update the password for the account.
So overall, best to get away from AD accounts and AD bound machines. You'll be saving yourself a lot of headaches in the long run.
