Mac after reboot only allows one account to logon

Afternoons all,

So I have a MacBook Pro, 2018 TB with High Sierra that's bound to a Windows domain, built via JAMF.

We have one admin account on the machine which our IT team use then the user account where they themselves are also admins. I should point out I have admin rights on the machine.

Nothing special about these accounts as far as I'm aware.

However when my user logs onto the machine, to do their work and then reboots, at logon they are only prompted for the password for the IT admin account. They don't see the username and password fields.

I'm trying to go through the console logs but unsure what I'm even looking for.

I should have mentioned, I have admin rights but some features are locked down via JAMF security profiles.

Anyone else seen this issue?


Solution 1:

FileVault is the clear case where the system will boot to a pre-OS screen and show you only the file vault enabled accounts. When you sign in and authenticate as one of these accounts, that unlocks a decryption key that allows the OS to be readable and starts the actual OS boot process.

You can determine which accounts have been enabled in FileVault by examining that system preference once you’re logged in to the running OS.

Since you managed MDM and JAMF - here is an article with great technical data on the need for a secure token to be provisioned for each FileVault enabled account:

  • https://derflounder.wordpress.com/2018/01/20/secure-token-and-filevault-on-apple-file-system/

Your IT team should investigate JAMF Connect which extends the typical log in screen to let any AD allowed account log in. It also can be provisioned so that membership in an AD group maps to an admin local account or a non-admin local account. It’s an amazing tool and far better than binding which can have many down sides.

  • https://www.jamf.com/products/jamf-connect/

Solution 2:

go to setting > security and privacy > FileVault. There should be a notice saying that some users are not allowed to unlock the Vault, with an option to change the setting. You have to have admin privileges to change the setting.