Only shows local accounts when Filevault 2 is on after a restart or turn off/on

thatmp7
New Contributor II

When File vault 2 is on and when you restart the machine or shutdown and turn on Mac, ONLY local user appears for login and does not show 'Other' to allow other users to login. We have our customers setup with Active Directory accounts and it does not appear when Mac has restarted. It is fine when user ONLY logs off because the 'Username' & 'Password' appears again.

My understanding is since Filevault 2 is on, it needs a local account to unlock the disk in order for other users to use the Mac. So when the Mac is turned or has restarted it only shows the local accounts listed.

Example:e65756d164674c47aae862ce9a0cba4e

In the attachment, A customer logged in with their Admin Network account, installed software and required a restart, Mac booted back up and ONLY shows local account with no other option.

7 REPLIES 7

sdagley
Esteemed Contributor II

@thatmp7 When a Mac is booted to the FileVault login screen it's not on the network, so it's not possible to log in via a network only account at that point.

sshort
Valued Contributor

If you're on 10.13 (or later) with APFS disk format, then the expected behavior is that once a local admin account is enabled for FileVault, any additional local users that are created will be automatically granted a secureToken, which allows them to unlock the disk at the FileVault screen. AD mobile accounts will get a pop-up dialog at first login requesting a local admin with secureToken to enable secureToken. This allows the AD user to unlock at the FV screen.

You can run sysadminctl -secureTokenStatus ADUserNameHere If it returns disabled, then not having that secureToken attribute is why they can't login at the point

thatmp7
New Contributor II

@sshort correct our Macs are on 10.13 and later. AD accounts are enabled for FV. However, I tried the command line and the AD account is ENABLED for Secure Token. I still cannot login with my AD account after a restart or boot up. It'll have to be a local account first, log off local account, then any account can log in. We have too many Macs for the IT folks here to go one by one to log in with the local account first then the customer can log in if a Mac happened to restart or shutdown unexpectedly.

sdagley
Esteemed Contributor II

@thatmp7 The AD configuration on Macs you want to be able to use AD accounts to unlock FV will need to have mobile accounts enabled.

thatmp7
New Contributor II

@sdagley mobile accounts is enabled still same issue.

sdagley
Esteemed Contributor II

@thatmp7 Have you verified the mobile account for the AD user account you're trying to use for FV access has been created?

thatmp7
New Contributor II

https://www.jamf.com/jamf-nation/discussions/26108/users-added-to-file-vault-but-don-t-show-up-to-unlock-it

this post has solved my issue if anyone comes across this.