Help

Slowed login for domain accounts after encrypting drive

jezerski
New Contributor III

Posted on ‎08-01-2018 03:13 PM

Hello. Has anyone seen issues with domain joined accounts taking a long time to login after encrypting the hard drive? I have some Sierra and High Sierra machines, and the login time has increased by over a minute for domain joined accounts. Local accounts don't seem to be affected. The time from boot to the login screen has remained about the same, but once the password is entered, a status bar pops up under the password field, and it takes about an additional 75 seconds to log in compared to pre-encryption. We've been tasked with rolling this out company wide, but this is a noticeable difference and will generate complaints I'm sure! We're leveraging Sophos to enable the encryption process, but I've tried this on a freshly imaged Mac with no JAMF, Sophos, or any additional software, I put a fresh copy of Sierra on, joined it to the domain, and encrypted it, and this alone added about 40 seconds to the login time for domain accounts. Any thoughts or suggestions would be appreciated.

Thanks
Jason

6 REPLIES 6

jdye
New Contributor III

Posted on ‎08-02-2018 09:42 AM

This happened to all of our Sierra machines as well.

0 Kudos

sdagley
Esteemed Contributor II

Posted on ‎08-02-2018 11:03 AM

@jezerski Keep in mind that with FileVault 2 enabled the first prompt is coming from booting into the recovery/file vault boot partition. Once you enter your password there the Mac boots from the now-unlocked normal OS partition.

0 Kudos

jezerski
New Contributor III

Posted on ‎08-08-2018 08:59 AM

@jdye and @sdagley thanks for the responses. Did you notice any issue with local accounts as well, or are those still working quickly? Our local admin account still logs into the machine in 5-10 seconds, so it appears to only affect domain joined accounts.

0 Kudos

sdagley
Esteemed Contributor II

Posted on ‎08-08-2018 09:17 AM

@jezerski Are these wired or wireless Macs? It could be that the delay you're seeing is for the Mac to bring up a network connection (since they aren't on the network at the FV2 log in screen) and establish communication with your domain controller.

0 Kudos

jezerski
New Contributor III

Posted on ‎08-08-2018 09:38 AM

@sdagley this happens when hardwired to our network, or off-network.

0 Kudos

dgreening
Valued Contributor II

Posted on ‎08-08-2018 09:44 AM

Try adjusting the dsbindtimeout down to 20 seconds. I do this via config profile with the following custom setting:

bac89114ea4d4f1c9190f8536efdcb2b