czarcub

Q: VNC SSH and services do not start unless a user logs in

Running a fresh install of OS X 10.11 with server version 5.1.5

 

For some reason the mac mini will not show up on the network or allow any remote administration until you login with a user account.

 

VNC and SSH specifically do not work and report time outs.

 

The web service is accessible regardless of login status.

 

When I shut off filevault encryption on the mac the problem seems to go away.  I manage about 8 other mac servers and have never seen this behaviour before on any of them with similar setups. Anyone have any ideas as to what might be going on?

Mac mini, OS X El Capitan (10.11.5), OS X Server 5.1.5

Posted on May 24, 2016 3:00 PM

Close

Q: VNC SSH and services do not start unless a user logs in

  • All replies
  • Helpful answers

  • by czarcub,

    czarcub czarcub May 24, 2016 3:01 PM in response to czarcub
    Level 1 (4 points)
    Servers Enterprise
    May 24, 2016 3:01 PM in response to czarcub

    Additionally the Mini turns off about 15 minutes after booting if no login occurs.  This is despite the fact that power saving options are all turned off.

  • by Strontium90,

    Strontium90 Strontium90 May 25, 2016 6:14 PM in response to czarcub
    Level 5 (4,077 points)
    Servers Enterprise
    May 25, 2016 6:14 PM in response to czarcub

    If I am reading your description correctly, I believe you stated that you enabled file vault encryption on the server's boot volume.  This would explain the part about services not starting up until you "log in" as well as the eventual shutdown of the device if disk unlock is not completed.  If you really have the drive encrypted, you are actually not logging in at this stage.  You are authorizing the disk to unlock.  Apple makes the disk unlock and eventual login seamless, but there are two steps going on.  EFI hands the unlock credentials to login window and drop the authorized account to it's Desktop.

     

    Now the one piece that is throwing me in your description is that you claim web ports respond during this period.  That is not in line with typical behavior.  An encrypted Mac will not initialize the ethernet (or wireless) until the disk is unlocked and a true boot sequence occurs.  If you are able to boot an encrypted Mac and get a reply for web servers, that is new to me.

     

    Generally, a server volume would not be encrypted.  It produces a number of challenges for any administrator and normal deployment choices would physically secure the device.  Some examples include the need to remotely reboot the server.  If the device is encrypted, you will physically need to be in front of the machine to unlock the drive to complete the boot process.  Failure to do this will result in the device powering off.  Next, a server is usually physically secured in a way that limits access.  In these circumstances, added disk encryption only hinders remote service as noted above.  Also, disk encryption is protecting data at rest.  A server should never be resting, so once the disk is unlocked and the device is booted, any exploit will have full access to your data.

     

    Not sure if this answers your question.  But it seems that disk encryption on your server is the cause of your issues.

     

    Reid

    Apple Consultants Network

    Author - "El Capitan Server – Foundation Services"

    Author - "El Capitan Server – Control & Collaboration"

    Author - "El Capitan Server – Advanced Services"

    :: Exclusively available in Apple's iBooks Store