Jamf Nation Community

@jbainter, I guess you could set the unlocking user account to logout once logged in.

The you'll get the login window again.

BUT, I'm sure @rtrouton has seen this or has posted about it.

Hi, thanks for the responses.

The issue is that FV2 gives the screen with the user list. Turning off SSO will bring you to the normal OSX sign in instead of signing directly in since FV2 uses cached credentials. The customer is looking for something like PGP. This is a separate password to even post the system.

Thanks,
James

What you're requesting is something we've also requested to Apple a couple of years ago, and with each version of OS X over the last few years, the request is still being "reviewed" I'm equally irked by the fact that we can't display a Username & Password field for the FV2 screen instead of user icons. Its just baffling that something designed for security essentially reveals a list of usernames that can unlock the encrypted Mac right at the pre-boot screen - half the secret to getting in. How Apple actually sees that as "secure' is beyond me.

Unfortunately, if you use FileVault 2, there isn't an easy way around this. You could try setting up FileVault with an LDAP account that is actually disabled on the server side for login, so it would end up hitting the non FV2 login screen (username & password) just as it would if the FV2 password is out of sync with the AD account, but I'm not sure that would actually work.

Rich gave you the answer, at least the key bit:

1. Disable auto-login (reference the link he posted)
2. Create a separate local account JUST for unlocking the system and enable for FileVault
3. Do not enable any other accounts for FileVault

You'll boot and be presented with only whatever username you give this account from step 2, and a password field. The user will type the password, and then be taken to the typical OS login window (where you have the option to require they enter both a username and password; up to you).

This is our proposed solution for shared Macs. If you want to get cute, you can make it so that if anybody logs into this FileVault unlocking account, they're immediately logged back out to discourage them from using it for anything other than POA.

We will run this by the customer and see if that will appease their security team :)
Thanks everyone !

@rtrouton.. haha same time.. knew you'd be on it!

@JPDyson the last part of your response " you can make it so that if anybody logs into this FileVault unlocking account, they're immediately logged back out ", do you already know of or have a script for that? Or do you do that via another method. One issue is the customer does not allow for configuration profiles as they won't open up the network to the APN range..

@jbainter Haven't put it together yet; one idea I had was a simple launch agent that performs a logout.