Applies to: Centrify DirectControl for MacQuestion:
How does enabling FileVault affect the user experience when logging in?
After enabling FileVault, why does the banner via the "Set login window settings" group policy no longer show?
After enabling FileVault, why do I no longer receive the option to login with other users, or a name and password field?Answer:
When enabling FileVault, the disk is fully encrypted. Before the normal login can proceed, the disk needs to be unlocked. Apple accomplishes this by using a different login screen when the Mac boots while using FileVault. The FileVault login screen will only show a list of users that have been enabled to unlock the disk. Once a FileVault enabled user unlocks the drive, the Mac will use that user's credentials to also proceed to login that same user, thus bypassing the normal login window for Mac OS X.
Because FileVault has a different login screen, the "Set login window settings" group policy will not apply to this FileVault login screen. This is why a banner set in that policy will not appear.
In order to unlock FileVault at this login screen, a user must be a FileVault enabled user. If a user is not a FileVault enabled user, they will not be listed on the FileVault login screen. For a user to be enabled to unlock FileVault, they must be a local account or a mobile account for a network user. A network user that is not a mobile account would not be expected to be able to unlock FileVault.
Unlocking FileVault occurs when the computer boots. When logging out (not restarting the Mac), you will be returned to the normal Mac OS X login screen and FileVault will still be unlocked. You will then be able to login with other user accounts that are not FileVault enabled users.
In the below screenshot, we see two accounts that have been enabled to unlock FileVault as denoted by a check in a green circle. And we also see one account has not yet been enabled, but has the option to with the "Enable User..." button. With the current configuration in this screenshot, the FileVault login screen would be expected to only show two users accounts.