Jamf Nation Community

udhy · ‎08-22-2019

After installing MDM profile and turning ON FileVault along with enabling login screen to show username and password, I am not able to log in after reboot as it only allows me to click on Local Admin users. However, after I login with local admin user and logout, I am able to see the login screen that shows username and password. Is this a limitation from Apple ?
Then, what will happen for the machine that is connect to AD and we have random network user who want to login on that machine. Any alternative or solution?

ThijsX · ‎08-22-2019

Hi, @udhy

This is expected behaviour. Your boot volume aka "Macintosh HD" is protected to let only FileVault enabled users to Unlock/Decrypt the disk and macOS gets loaded.

I assume this is a shared device or an iMac, i recommend to get a physical lock for your device to prevent it leaves the office.

As you describe, you are authenticated with your local admin user, and if you then press log-out, the Network Login Window will show up, which allows you to log-in with network users (if enabled and bound to AD) because at that moment the volume is already unlocked.

sshort · ‎08-22-2019

@udhy If you want some minimal level of preboot restrictions you can enable a firmware password to prevent users from accessing the recovery partition or booting from an external volume. A lot of shared/lab environments are setup that way b/c of FileVault behavior.

https://support.apple.com/en-us/HT204455

ThijsX · ‎08-22-2019

as @sshort says that is an option to make it even more secure! I do recommend to set a EFI / Firmware password also on Filevault enabled macOS devices.

Jamf Nation Community

Once FileVault is enabled and connecting Mac machine in AD, how to allow multiple network user to login