What causes the FileVault Lock Screen to update the list of enabled users?

chadlawson
Contributor
Contributor

I'm working on a client setup right now where the computer goes through ADE/DEP and a tech logs in as the administrator account.

That kicks off the DEPNotify Helper script and that workflow. This includes the naming of the computer which, in turn, scopes the FileVault Configuration Profile to the computer. It also includes binding the computer to AD.

At this point, if I check fdesetup for a list of enabled users, I just get the admin account. So far, so good.

After that the admin logs out (but doesn't reboot or shut down or other wise go back to the FileVault lock screen) and a staff person logs in which creates the mobile account. Now if I run fdesetup I see the admin account and the staff account are both enabled. Jamf confirms the same thing. Both accounts are enabled and FileVault is turned on at this point.

However... if I reboot, only the admin account is visible on the lock screen.

If I don't reboot, but instead log in as either the staff account or the admin account again and just log back out, when I reboot both users are there.

I'm trying to make the setup process easier, not more tedious. Is there a way to get macOS (Sonoma 14.4+ on Intel for this test) to update the lock screen without these extra steps? I would have bet good money that when the mobile account gets listed as FileVault Enabled that it would also get added to the lock screen.

1 ACCEPTED SOLUTION

boberito
Valued Contributor

You need to update the preboot volume. This is happening automatically when you do the log out and log in like you noticed, but it isn't getting triggered otherwise.

diskutil apfs updatePreboot /

View solution in original post

6 REPLIES 6

mschlosser
Contributor II

good question, i was under the impression that as long as JAMF Pro configured ot escrow the PRK and the DRK on the server, all new accounts, whether they are admin or standard users would be automatically granted a secure token and as such should show on the FileVault decryption screen. hope that helps. I configured the disk encryption vi  policy on the machines that we target for encryption and it works well.

AJPinto
Honored Contributor III

My guess is the use of Mobile Account is likely breaking something. Apple stopped developing macOS with Mobile Accounts in mind a long time ago. The fact that their techs are configuring devices and domain binding before deploying probably needs to be reviewed before trying to troubleshoot new Apple workflows. 

Oddly they were always getting the token, it's just that they weren't appearing on the Lock Screen until any user logged in again to trigger the [previously unknown process] which appears to be the preBoot.

boberito
Valued Contributor

You need to update the preboot volume. This is happening automatically when you do the log out and log in like you noticed, but it isn't getting triggered otherwise.

diskutil apfs updatePreboot /

Spikemouth
New Contributor II

I work in a similar environment with mobile accounts. Try using this to add the user in question to FileVault. 

sudo fdesetup add -usertoadd username (Replace username with the mobile account username)
Enter the user name: 'adminusername'
Enter the password for user 'adminusername':
Enter the password for the added user 'mobile username':

Also, have you checked to make sure that "Create mobile account at login" is turned on? This could be another reason why you it isn't speaking with FileVault at the initial login of the mobile account.

Screenshot 2024-07-30 at 3.38.04 PM.png

chadlawson
Contributor
Contributor

Sorry for not dropping back in on this earlier, but I want to thank @boberito for reminding me about preBoot.