Apple Event: May 7th at 7 am PT
When FileVault 2 is enabled on 10.7, the users that can unlock a machine are shown at boot. When their password is entered, that user is automatically logged in. I would like to disable this option, but when FileVault is enabled the option to disable (in SysPrefs/Accounts/Login Options) is greyed-out - and even though I have previously set Automatic login to 'off', this makes no difference.
Hi Rob,
Rob Hall1 wrote:
When FileVault 2 is enabled on 10.7, the users that can unlock a machine are shown at boot.
You can avoid this by setting "Display login windows as Name and password" in the Login Options.
When their password is entered, that user is automatically logged in.
Yes, I found out that every user has access to the enctypted volume if it's a boot volume.
I would like to disable this option, but when FileVault is enabled the option to disable (in SysPrefs/Accounts/Login Options) is greyed-out - and even though I have previously set Automatic login to 'off', this makes no difference.
I think you're confused about Automatic Login: this is a mechnism where a user logs automatically based in a predefined password defined in System Preferences by an admin account. So no need to enter a password to access the Mac when it boots.
Automatic Login as well as the capability to use Guest Accounts should be disabled automatically when the boot disk is encrypted by FileVault 2. Whatever the check boxes say, it should not work anymore. In addition all accounts have to have a password. In short: all the accounts on your Mac have access to a FileVault 2 encypted boot volume.
Hope this helps,
Eric
Thank you for replying. I still have some unanswered questions, so I will provide a scenario and try to explain what I want to achieve:
Mac has two users; 'Admin' (administrator account) and 'dave' (normal account). When logged in as Admin, I turn on FileVault via the SysPrefs pane and the Mac asks to be rebooted (so that corestorage can do its thing i.e. unmount the disk and start the encryption etc). The Mac reboots and immediately shows me an icon for the Admin user and asks for the password. I enter the password and the Mac starts and logs in as the Admin user, without showing me the usual login window. I appreciate, from what you say above, that this is different from the 'Automatic login' setting in Accounts, but the net effect is still the same; the Mac logs in as the user who can unlock the disk.
I add 'dave' to the Filevault pref pane. That user can now unlock the encrypted drive on boot and will now be automatically be logged in, and so on with any additional users I create locally on that machine.
What I would like to achieve is as follows (and please bear in mind that these are Macs in a corporate, managed and supported environment where we use PGP WDE and need a workaround until PGP pull their finger out and support 10.7):
The Mac is encrypted initially under the 'Admin' account. A 2nd user generically called 'diskunlock' with some generic but secure password is added to FileVault. The owner of the machine uses the diskunlock account to unlock the machine, they then get the normal login window and they enter their Active Directory username and password and log in as normal.
PS I know I can use the diskutil command to convert the disk to a corestorage volume and encrypt the machine with a master password, but this is not ideal. I would prefer the use the setup above, if possible. It's just the fact that any user who can unlock a FV disk is automatically logged in that I want to change.
PPS - I must say that corestorage is a fantastic new feature and FileVault2 in a non-corporate environment works really well. My wife loves it on her home macbook 🙂
Rob,
I've been working on this this past couple weeks myself, and yesterday was my lucky day. My Mac Mini Servers arrived so I can finally setup open directory and Apple released the Lion 10.7.3 update. Initally I was goinig for a setup similar to yours, where we are using a local acount on the Mac to unlock FileVault and then logging into Active Directory. We're also using Open Directory to setup MCX on the Macs.
In my testing today the only way I found to stop the FileVault AutoLogin was to set a MCX policy to disable local users. (Local users with admin access are still allowed ot log in.) This worked, the local user was able to unlock FileVault and boot the machine. Instead of automatically logging in, an error message stating "Local Accounts are not allowed to log in. Contact your network administrator" or something very similar to that. Clicking OK dropped you to the login screen. Not ideal, but better than nothing.
Then I configured my Active Directory Bind and setup and configured the AD plug-in to create mobile accounts. I then logged out (not rebooted!) and logged in using an Active Directory account. Mobile Account created, great. I then checked System Preferences > Security > FileVault, and saw the message "Some users are not able to unlock the disk." This was a great thing to see as before binding to AD and creating a mobile account all the local users were able to unlock the disk. When I clicked Enable Users, sure enough my AD user showed up and I was able to enable my AD user to unlock the disk (had to enter my AD password.) I rebooted, and my AD account was presented as one of the options to unlock the disk. Logged in, and success! FileVault unlocked, and the Mac logged into my Active Directory account!!!
Not sure if this is how it would have worked on 10.7.2 or earlier versions of Lion, I could not get earlier versions to bind successfully to Active Directory. With yesterday's release of 10.7.3 I am a very happy Mac Administrator. 😁
How can I disable 'Automatic login' with FileVault 2?
