Posted on 09-12-2016 03:52 PM
I've run into an odd issue with Filevault2 Encryption. The setup is as follows:
OS 10.11.6
Accounts are all Local (No AD or LDAP integration)
Encryption Policy is deployed via the JSS
Personal Encryption Key's
The system is encrypted when the admin user logs in. This account has no issues logging in. When a second "NON-Admin/Standard" user account is created or if an existing standard user is added to encryption via the system prefs. The user can successfully login to the Encryption Login screen, they are prompted to login to a second screen. Account login at the second screen fails. There is no error message (that I have found).
Here is the rub. If you login with the regular admin account and then make the Standard user an Admin, they can log all the way through to the desktop without being prompted for a second password. Change the account back to a Standard User and they cannot login again (at the second Window).
This sounds like a permission issue to me. The standard user is unable to access something that the admin user is able to access. Any ideas what?
My only attempts to resolve include removing and re-adding the user via FDESetup and logging in as the account that fails and running fdesetup sync. I have been able to re-create the issue on 3 systems. Any ideas/help would be appreciated.
Thanks,
Jasen
Posted on 09-13-2016 12:48 AM
I haven't got a system to test with but it sounds like a possible bug in the OS. The only thing that makes me feel it's more isolated to your setup is the lack of noise from the wider community about it.
Some possible things I'd try first:
Posted on 09-13-2016 04:00 PM
Thanks for the response David.
When I change the user to admin I can login. When I switch it back I cannot login any more.
I have a lot more testing to do but I have narrowed it down to clients that are "off network". This basically means they connect to a limited access JSS behind a lb proxy. When I image a system on our internal network there are no encryption issues on the same version of the OS. 10.11.6.
I am going to try adding a system that is having the issue to our prod network to see if that makes a difference.
I'm going to give the manual setup a try next.
Posted on 08-19-2019 01:24 PM
I know this is 3 years old, but we recently just discovered this behavior within one of our testing scenarios. We see this behavior on 10.13.6 and it persists even after upgrading to Mojave 10.14.6.
We have our management account created as the first user, then if we manually create a standard user, we can unlock the disk, but it will not let you log in to that user's account unless/until you make them an Admin.
I have also confirmed this happens with DEP and Non-DEP machines.
Does anyone have any insight as to why this happens?
Posted on 08-23-2019 09:11 AM
I am having the same problem as mwilkerson. I need to create a local account on some of our managed laptops for our staff to use with shared products in a "lab" setting. But when I create the new "local-standard" account it will not let us log in...if I switch the account to "admin" it works fine. This needs to be corrected by someone....JAMF or Apple....
I found something about configs settings and allowing other users to log in but that didn't seem to work either.
Posted on 10-22-2019 12:01 PM
Adding myself as a Me Too for this issue. Exact same scenario, 10.14.6 Filevault local non-admin user = unlock the drive but cannot log in.
Posted on 10-30-2019 02:16 PM
Experiencing the same symptoms as everyone with filevault local no-admin user unable to login. Has anyone found a solution?
Posted on 01-22-2020 09:20 AM
We're running into the same issue with multiple machines being deployed via DEP. Able to get past the encryption check, but unable to log in with the following log in screen. Escalating the account to an Admin allows a log in. Once the account is demoted to "standard" it is no longer able to log in.
Here are some steps we've tested with. Hopefully this helps.
We've attempted to change the password on the account, but still unable to log in.
We had also created a policy to help sync up changed AD passwords on the Mac. Running that made no difference.
Disabling Filevault2 does not allow the account to log in.
Unbinding the machine does not allow you to log in.
Creating a new 'standard' account on the machine after FileVault2 is turned off: new account can not log in.
Creating a new 'standard' account on the machine after FileVault2 AND the machine has been removed from AD: New Account can still not log in.
Thanks,
-Rob
Posted on 06-18-2020 09:11 AM
We're having the same problem here. It seems that after a full shutdown it works. It started happening after changing the user to a Standard User from Admin. We have another admin account on the machines already.