Applies to: All versions of Centrify DirectControl on Mac OS X 10.7 and above
When Filevault 2 is enabled for an AD user, it will require two logins when logging into the Mac:
- The first login screen is the solid grey screen which is used to unlock Filevault 2.
- The second login screen is the standard Mac desktop login screen.
This behavior does not occur when enabling Filevault 2 for a local user.
Logging in with a local user only requires the first grey screen for unlocking Filevault 2 after which the system will automatically log the user straight through to their desktop.
Logging in with an AD account requires the two separate logins because the Mac agent needs to restart the SecurityAgent process after FileVault is unlocked.
This works fine for a normal login, but when FileVault 2 is enabled, the killing of SecurityAgent causes the login window to lose the current user context: Oct 16 14:50:25 Developers-MacBook-Air com.apple.launchd (com.apple.SecurityAgent.00000000-0000-0000-0000-0000000186A5): Exited abnormally: Hangup: 1
and add the line: adclient.autoedit.CentrifyPAM: false
After rebooting, it should only require one login screen again. NOTE:
Be aware that this workaround has some risk for when the computer needs to leave the domain:
- First remove the centrifydc.conf edit
- THEN leave the domain.
Leaving the domain without performing these steps may cause local users to not be able to login after rebooting.
This issue is resolved from Centrify agent version 5.1 onwards.