Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Show keyboard input menu on FileVault encrypted Mac

Hi everyone,

acutally I got the problem, that on FileVault encrypted Macs the input menu for keyboard layouts won't show up in the boot screen.

The setting for the keyboard input menu is located in /Library/Preferences/ with the key showInputMenu and a boolean value.

If I try to set the value via defaults write, the checkbox in System Preferences is active and the input menu is shown in login window. BUT if the computer is FileVault encrypted, the input menu won't show up in the boot screen.

Only if I set the checkbox manually in System Preferences, the input menu shows up in loginwindow and in boot screen.

I tried Composer to evaluate which files are changed during clicking in System Preferences. The only valuable file is /Library/Preferences/

Does anyone have the same problems?

Thanks in advice,

Like Comment
Order by:
SOLVED Posted: by Josh_S

When you check the box in the GUI it makes some modifications to files on the recovery partition, which makes sense because the main drive is not decrypted at that stage of login on a FV2 encrypted Mac. What is currently eluding me is how to push settings changes to the recovery partition. I'll play a bit more and see if I can figure it out.

SOLVED Posted: by Josh_S

I think I got this figured out. When you update a setting via the GUI, it updates the associated "efires" cache files and then writes those to the Recovery HD. In order to update the efires files without going through the GUI, you have to 1) Update the settings file, 2) Clear the efires cache files to force the system to rebuild them directly from the plist files the next time the Recovery HD is updated, and 3) Tell the system to update the Recovery HD.

defaults write /Library/Preferences/ showInputMenu -bool TRUE
rm /System/Library/Caches/*.efires

Edit: Thanks Rich. It appears that you are right and that you do not need to run "fdesetup sync" to force an update. The system seems to automatically update the Recovery HD after erasing those files. I've updated the code block to remove that.

Technically the "sync" verb of fdesetup is not meant for this, and it might have unintended consequences if there is an OD/AD user account enabled for FileVault that has been deleted, but it does force an update of the preference files. Hopefully Apple realizes the need/desire for this functionality and includes it in a future update.

SOLVED Posted: by m.entholzner

Perfect, this works! Many thanks for figuring this out, you made my day :)

SOLVED Posted: by rtrouton

The fdesetup sync part may not be needed. I was able to do this:

sudo defaults write /Library/Preferences/ LoginwindowText "My Login Window Text Goes Here"
sudo defaults write /Library/Preferences/ showInputMenu -bool TRUE
sudo rm /System/Library/Caches/*.efires

On restart, the FileVault pre-boot login screen looked like this, with keyboard input and login text now showing.

external image link

SOLVED Posted: by mm2270

All good information. Thanks Josh_S and Rich for figuring this stuff out. Though we don't currently have a need to enable this, its nice to know its possible.

SOLVED Posted: by mboylan

Rather than manually removing those caches, the Apple recommended way to synchronize the EFI loginwindow is via the following command:

sudo touch /System/Library/PrivateFrameworks/EFILogin.framework/Resources/EFIResourceBuilder.bundle/Contents/Resources

You'll see log entries like the following afterwards:

Jun 24 13:22:49 mbp-boylan.local[29396]: rebuilding /System/Library/Caches/
Jun 24 13:22:49 mbp-boylan.local efilogin-helper[29397]: targetVolume: /
Jun 24 13:22:49 mbp-boylan.local efilogin-helper[29397]: **** WARNING: cannot find showInputMenu key assumining NO
Jun 24 13:22:53 mbp-boylan.local[29396]: /System/Library/Caches/ not cached.
Jun 24 13:22:53 mbp-boylan.local fseventsd[64]: Logging disabled completely for device:1: /Volumes/Recovery HD
Jun 24 13:22:54 mbp-boylan.local[29396]: Successfully updated disk0s3.
SOLVED Posted: by maik.sanftenberg

I used this till now as well to fix my problem with "out of sync" FileVault passwords (in most cases Users forgotten there passwords).
But it seems to be not longer working since 10.9.4 for mobile AD accounts.

Did anybody have an idea why?


SOLVED Posted: by m.entholzner

FileVault passwords have to be synced with an "fdesetup sync".

SOLVED Posted: by maik.sanftenberg

@entholzner thanks.
I will give it a try.