Subscribe to Help Center RSS FeedUsers encounter two distinct login windows when FileVault is enabled on macOS devices. This article answers the most common questions about the macOS device login flow, detailing the FileVault and JumpCloud user login windows.
FileVault Login Window
When powering on a macOS device from an off state, the FileVault login window appears first.
Prerequisites:
- FileVault needs to be enabled on the device for this window to appear. See Create a Mac FileVault 2 Policy to learn more.
- What is FileVault encryption? FileVault is Apple's encryption tool that creates an additional login window, known as the FileVault login window.
- How do you identify the FileVault login window?
- The JumpCloud Service Account appears at the FileVault window.
- On Apple Silicon devices, pressing Option + Shift + Enter presents an option to enter the Recovery Key to unlock the disk. To clear this and return to the user list, click the back arrow, or press the Escape key.
- How often do users need to perform this initial login? Users only need to log in at the FileVault window once to decrypt the disk, which is necessary only on startup or after a reboot.
- Is the device connected to the network here? The device isn’t connected to any network as the operating system isn’t fully loaded. The JumpCloud agent cannot check into the Admin Portal, where the device will show as inactive.
- Is MFA required here? No, the FileVault window doesn’t prompt for device MFA. You’ll be prompted for MFA at the device login window.
- How does FileVault handle password changes? Password changes from the Admin Portal or the User Portal won’t affect the FileVault login window because the device is inactive and not connected to a network.
- How is the FileVault password updated? The recommended method for password changes is through the JumpCloud Mac Menu Bar app as it automatically updates the FileVault password. Other password reset methods only change the JumpCloud user password and require additional steps such as entering the password at the device login window to sync with FileVault.
- What should a user do if they're locked out? If a user is locked out at the FileVault window on a device with JumpCloud's FileVault 2 MDM policy, retrieve the recovery key from the JumpCloud admin portal to bypass/decrypt FileVault and access the user login window.
JumpCloud macOS User Login Window
On JumpCloud managed devices, after entering the FileVault password, the JumpCloud macOS login window appears.
Considerations:
- The JumpCloud login window only appears if Self-Service Account Provisioning feature is enabled. See Provision New Users on Device Login to learn more.
- Jump to Alternate macOS User Login Window to learn about the default login window when this feature is disabled.
- How do you identify the JumpCloud login window? This login window has a bottom navigation bar with power, network, and refresh options in addition to the JumpCloud logo. The JumpCloud Service Account won’t appear here either.
- Is the device connected to the network here? At the user login window, the device will be connected to WiFi if the credentials are cached or connected via an ethernet connection.
- At what point does the JumpCloud agent consider the device active? The device should be in an active state when it’s connected to the internet and able to check in.
- How does device MFA alter the login experience? With device MFA enabled and enforced in JumpCloud, the TOTP and PUSH buttons appear below the password field. Select the appropriate MFA method and proceed to log in.
- If the JumpCloud password is changed elsewhere does it apply here? Yes, password changes from the Admin Portal or the User Portal will apply here on next login. However, if the user is able to log in to the device, password changes using the JumpCloud menu bar app are recommended.
- What happens when a user logs out of their device account? When users log out, they return to the JumpCloud login window, not the FileVault window.
- Do JumpCloud policy and user updates apply here? At the user login window, the agent is active, and the device will receive user and policy updates made in the JumpCloud Admin Portal.
Alternate macOS User Login Window
When Self-Service Account Provisioning is disabled, the device login window more closely resembles the default macOS login window.
- How do you identify this login window?
- The JumpCloud Service Account doesn’t appear.
- Pressing Option+Shift+Enter key combination has no effect.
- Selecting a user presents a square password login box.
Troubleshoot: FileVault Password Doesn’t Sync
Problem: A user may get stuck on the FileVault login window if their FileVault password hasn’t synced with their JumpCloud password.
Cause: This issue can be caused by an off-device password reset, an unhealthy service account, or an incomplete account takeover process.
Resolution: To resolve this, follow these troubleshooting steps:
- Confirm user is at the FileVault window: Verify that the user is on the FileVault login window and not the JumpCloud user login window. The best method to identify this is the presence of the JumpCloud Service Account.
- Reset the user’s password using recommended methods: Ensure that any password resets are performed through the Menu Bar app on the macOS device which correctly updates both JumpCloud and FileVault passwords simultaneously.
- See Users: Change Your MacOS Password to learn more.
- Complete the user account takeover process: Make sure the takeover process for managing the user account and passwords via JumpCloud has been completed.
- See Take Over an Existing User Account with JumpCloud to learn more.
- Retrieve the FileVault Recovery Key: If the user is locked out, use the JumpCloud FileVault 2 MDM policy to obtain the recovery key from the Admin Portal. This allows the user to bypass and decrypt FileVault to access the user login window.
- See Recover a Password Using the FileVault Recovery Key to learn more.
Following these steps helps ensure that the FileVault and JumpCloud passwords are synchronized and that the user can log in.
Back to Top
In this Article
Learn More