Posted on 03-15-2023 06:27 PM
Hi All,
We suddenly have few Macs, after restart/shutdown, user not able to login to their account.
All Macs are Filevault enable and users are default added into Filevault (we use AD – mobile account). Our local admin, is also Filevault user and disk owner.
But we can’t even login as our local admin. It just will then show a black screen and then will loop back to the login page.
We are able to temporarily fix this by reinstalling macOS (without erasing the disk).
Has anyone experienced the same issue?
There were no changes to any of our exsiting policies in JAMF.
We are also using McAfee as our endpoint security, including the encryption as well.
Solved! Go to Solution.
Posted on 03-20-2023 08:21 AM
Are you not able to use the recovery key from JAMF? It should work for your local account, the AD accounts using the recovery key will desync the users profile from AD as macOS forces a password change locally.
Some what related. Apple is very clear about getting away from Domain Binding and using local accounts. They Apple is no longer developing macOS with this work flow in mind. The FileVault Recovery Key work flow is one area that already does have issues with Mobile Accounts.
Posted on 03-21-2023 03:47 AM
Move to using JAMF to enable FileVault. McAfee would be using a script to enable FileVault which is a fully deprecated process that will be retired soon, there may be a recovery key screwed from that but it depends on what McAfee is doing with that script. However, Apples spec for FileVault is to use a Configuration Profile from MDM to enable FileVault. If you want to minimize issues, do things they way Apple says to do them.
https://support.apple.com/guide/security/managing-filevault-sec8447f5049/web
As far as OS updates, its not possible to disable all software updates. Apple allows deferrals up to 90 days, that is the farthest you can block them. If you have OS update deferrals configured, no OS updates, even once you tell the Mac to install with JAMF will be able to install until the deferral date has passed.
https://support.apple.com/guide/security/managing-filevault-sec8447f5049/web
Posted on 03-20-2023 08:21 AM
Are you not able to use the recovery key from JAMF? It should work for your local account, the AD accounts using the recovery key will desync the users profile from AD as macOS forces a password change locally.
Some what related. Apple is very clear about getting away from Domain Binding and using local accounts. They Apple is no longer developing macOS with this work flow in mind. The FileVault Recovery Key work flow is one area that already does have issues with Mobile Accounts.
Posted on 03-21-2023 01:23 AM
Hi,
The problem is that we are using McAfee as the one who handles disk encryption on the machine.
Since on our policy, we have disabled all software updates, as well as critical software updates. Is there a chance that the any critical updates will still try to force itself to install on the mac?
Posted on 03-21-2023 03:47 AM
Move to using JAMF to enable FileVault. McAfee would be using a script to enable FileVault which is a fully deprecated process that will be retired soon, there may be a recovery key screwed from that but it depends on what McAfee is doing with that script. However, Apples spec for FileVault is to use a Configuration Profile from MDM to enable FileVault. If you want to minimize issues, do things they way Apple says to do them.
https://support.apple.com/guide/security/managing-filevault-sec8447f5049/web
As far as OS updates, its not possible to disable all software updates. Apple allows deferrals up to 90 days, that is the farthest you can block them. If you have OS update deferrals configured, no OS updates, even once you tell the Mac to install with JAMF will be able to install until the deferral date has passed.
https://support.apple.com/guide/security/managing-filevault-sec8447f5049/web
Posted on 03-26-2023 11:42 PM
I am now looking into using the JAMF Protect, that way, we can drop McAfee altogether. :-)