How to allow multiple network users to login on Mac machine which is enabled with File Vault

network filevault login

I have a scenario where I have connected all of our Mac machines to Active Directory (which is pain itself). However, after enabling FileVault from an Administrator account, I saw that network users can't log in even after enabling: Display login window as Name and password. First I have to login with an admin account and then logout allows an only network user to login which is not an ideal solution. There is some solution but what if I don't know the user and would like to make Mac machine open where random AD user can log in in that machine (FileVault enabled). Any suggestion or solution will be highly appreciated.


Solution 1:

I will explain this process very technically in details.

When you have an encrypted disk with FileVault, the system needs to ask for an authorised user to login just after EFI boot.

This is necessary because the system has to mount the disk. And it can't mount it without an admin password input.

You then see a screen with local admin-level users avatars.

That screen shows some users avatar because that user's avatar were inserted on the EFI boot image/nvram. At this point of the boot sequence, there is no Operating System loaded yet, it's just a simple boot screen to ask the user password [which simulates the login screen appearance of the GUI], but it just a static image containing the user avatars! (almost like a kind of bootloader statical image, except it asks for user/pass combination)

After you insert the password, the disk is mounted, and the boot process begins.

After the loading bar reaches about 80% that screen changes to another almost identical, it sometimes blinks at this point. This is the GUI interface being loaded, process called WindowServer.

At this point the network interface is UP, other network subsystems are just started, including open directory services [which you need]. If the disk were NOT encrypted, this is the EXACT point where you would see the REAL login screen asking for username/password. But since the disk is encrypted and you have provided the user/pass to decrypt it earlier [before mounting the disk] it skips the real multiuser-mode login screen that should appear here and auto-logs the username you inserted before.

So in practice, it is just a mimic theatrical simulation of a real login since the boot, but it is fake, until when GUI is ready and then the MacOS does an auto-login once in multiuser mode, to make you think all was kind of "magical". But there is no magic at all.

So what you need/want is impossible on that initial screen, because no network authentication protocol is up at that point. Even the disk isn't ready, which only becomes mounted and readable after inserting the user/pass combination.

You can take a better understanding of what I have written and how all this happens by booting it a little different:

Use the -v nvram boot argument, to boot it verbosely.

If you boot it using the "-v" nvram argument you can get a better view of what is happening "behind" the scene, and also can see the GUI loading moment, and the auto-login happening.

What has to be done:

To achieve what you need, we have to prevent the auto-login mechanism on the real GUI [windowServer] to happen.

This way you will have a local user just to mount the system-disk on Boot-time, then after GUI gets-up it must stay on the un-logged state, and showing the real login screen with the real avatars or fields to input user/password (depending on how you prefer to log users [by avatars or by text input name/pass]).

  • This will force 2 logins:

    • one for Filevault [on Boot] and
    • one for the OS

  • On the second login you can either login the same local user used on boot, or you can login any other user.

  • This will also let you login [on the second login] any AD user as you need to.

(Remember that the first login is not a real login, it just an authentication to mount the disk, so nobody is technically logged-in on the UNIX/BSD [system portion] after mounting the disk. The Real/true login only happens on the second one [on the GUI portion])

How to do it:

To force 2 (two) logins there is a secret key to be added to MacOS configuration: 

sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES

After executing it, reboot, and it is done!

Please post your results, I just tested it now on Encrypted El Capitan and it works!, and it should work up to Mojave (but I don't have any encrypted Mojave here now to test it now. I will test and validate it also on Catalina tomorrow. If you can, please validate it for your macOS version, post the results, and we can build a mini-table here listing all known working versions later.

Executing the above command is completely safe, nothing to worry about it.

Related

Is my keyboard faulty or are my settings screwed? [duplicate]
Is there any way to force the Mac to not to log me out after ten minutes?
Is there a way to add a background color in Apple notes?
Copy iCloud Photos library to a clean install
Can I be reached on FaceTime on Mac using my non-iPhone phone number?
Why is brew always reporting success when failing to start a service?
370GB unused but cannot shrink APFS container
How to give feedback for an Apple app not listed on the Product Feedback page?
Can an individual add their own email tracking pixel to Apple Mail?
How to copy one standard user profile of macOS to another machine
Is Time Machine also backing up my Windows data from Bootcamp?
Samsung Easy document Scanner won't communicate with scanner on OS X Catalina 10.15