Standard Accounts Fail login after login to FileVault Encryption Window

jnice22
New Contributor II

I've run into an odd issue with Filevault2 Encryption. The setup is as follows:

OS 10.11.6
Accounts are all Local (No AD or LDAP integration)
Encryption Policy is deployed via the JSS
Personal Encryption Key's

The system is encrypted when the admin user logs in. This account has no issues logging in. When a second "NON-Admin/Standard" user account is created or if an existing standard user is added to encryption via the system prefs. The user can successfully login to the Encryption Login screen, they are prompted to login to a second screen. Account login at the second screen fails. There is no error message (that I have found).

Here is the rub. If you login with the regular admin account and then make the Standard user an Admin, they can log all the way through to the desktop without being prompted for a second password. Change the account back to a Standard User and they cannot login again (at the second Window).

This sounds like a permission issue to me. The standard user is unable to access something that the admin user is able to access. Any ideas what?

My only attempts to resolve include removing and re-adding the user via FDESetup and logging in as the account that fails and running fdesetup sync. I have been able to re-create the issue on 3 systems. Any ideas/help would be appreciated.

Thanks,
Jasen

8 REPLIES 8

davidacland
Honored Contributor II

I haven't got a system to test with but it sounds like a possible bug in the OS. The only thing that makes me feel it's more isolated to your setup is the lack of noise from the wider community about it.

Some possible things I'd try first:

  • What happens if you make the standard user an admin, check that it all works, then set them back to standard. Does that break the login again?
  • What does it do on 10.11.5?
  • What happens if you deploy a vanilla 10.11.6 (possibly AutoDMG image) to a Mac, create a standard account, manually enable FV and test? So avoid enrolling with Casper or deploying anything else to it. Keeping it as a purely out of box setup.

jnice22
New Contributor II

Thanks for the response David.

When I change the user to admin I can login. When I switch it back I cannot login any more.

I have a lot more testing to do but I have narrowed it down to clients that are "off network". This basically means they connect to a limited access JSS behind a lb proxy. When I image a system on our internal network there are no encryption issues on the same version of the OS. 10.11.6.

I am going to try adding a system that is having the issue to our prod network to see if that makes a difference.

I'm going to give the manual setup a try next.

mwilkerson
New Contributor III

I know this is 3 years old, but we recently just discovered this behavior within one of our testing scenarios. We see this behavior on 10.13.6 and it persists even after upgrading to Mojave 10.14.6.

We have our management account created as the first user, then if we manually create a standard user, we can unlock the disk, but it will not let you log in to that user's account unless/until you make them an Admin.

I have also confirmed this happens with DEP and Non-DEP machines.

Does anyone have any insight as to why this happens?

bozemans
New Contributor III

I am having the same problem as mwilkerson. I need to create a local account on some of our managed laptops for our staff to use with shared products in a "lab" setting. But when I create the new "local-standard" account it will not let us log in...if I switch the account to "admin" it works fine. This needs to be corrected by someone....JAMF or Apple....

I found something about configs settings and allowing other users to log in but that didn't seem to work either.

tomt
Valued Contributor

Adding myself as a Me Too for this issue. Exact same scenario, 10.14.6 Filevault local non-admin user = unlock the drive but cannot log in.

eyu
New Contributor

Experiencing the same symptoms as everyone with filevault local no-admin user unable to login. Has anyone found a solution?

rcoen
New Contributor

We're running into the same issue with multiple machines being deployed via DEP. Able to get past the encryption check, but unable to log in with the following log in screen. Escalating the account to an Admin allows a log in. Once the account is demoted to "standard" it is no longer able to log in.

Here are some steps we've tested with. Hopefully this helps.

We've attempted to change the password on the account, but still unable to log in.
We had also created a policy to help sync up changed AD passwords on the Mac. Running that made no difference. Disabling Filevault2 does not allow the account to log in. Unbinding the machine does not allow you to log in. Creating a new 'standard' account on the machine after FileVault2 is turned off: new account can not log in. Creating a new 'standard' account on the machine after FileVault2 AND the machine has been removed from AD: New Account can still not log in.

Thanks,
-Rob

Mikflores
New Contributor

We're having the same problem here. It seems that after a full shutdown it works. It started happening after changing the user to a Standard User from Admin. We have another admin account on the machines already.