Introduction
Jamf Connect is a macOS Login Window replacement solution to allow authentication to an Identity Provider (IdP) for local account authentication. FileVault is an Apple provided, first-party solution to encrypt macOS devices.
By default the workflow for devices with FileVault enabled is as follows:
- The device boots up and shows the FileVault pre-boot login window
- The user authenticates
- macOS is then booted and is passed the user’s details to the Login Window silently (bypassing the macOS Login Window for the end user)
This is designed to improve the user experience and reduce the number of authentications the user is required to perform. This ‘bypassing’ of the login window will also affect any replacement solutions, including Jamf Connect.
As a result, FileVaulted encrypted devices can change the expected behaviour of Jamf.
General Jamf Connect behaviour without FileVault
- User powers on their device
- The Mac boots to the installed macOS
- The Jamf Connect Login is displayed
- The user authenticates with Jamf Connect and either has their user account created or logs in as normal
- The user arrives at their desktop
Option 1: Default Jamf Connect behaviour with FileVault (after first login)
- The user powers on their device
- The Mac boots to a FileVault authentication screen
- The user selects their account and enters their local password
- The device uses these details to unlock the boot disk and reboot the Mac
- The user's details are passed silently to the Login Window and this is bypassed (including Jamf Connect Login)
- The user arrives at their desktop
Advantages of this method:
- The process is the same for a Mac without Jamf Connect
- The user only enters their password once per login
Disadvantages of this method:
- Jamf Connect Login is not used past the first authentication on the device
- Any requirements from Jamf Connect (such as Multi-Factor Authentication or authentication direct to the Identity Provider) will be ignored
Option 2: Jamf Connect behaviour with FileVault bypass disabled (after first login)
- The user powers on their device
- The Mac boots to a FileVault authentication screen
- The user selects their account and enters their local password
- The device uses these details to unlock the boot disk and reboot the Mac
- The user is presented with the Jamf Connect Login screen
- The user authenticates to the Identity Provider via Jamf Connect and logs in
- The user arrives at their desktop
Advantages of this method:
- Jamf Connect is used for every login to the device
- Any requirements from Jamf Connect (such as Multi-Factor Authentication or authentication direct to the Identity provider) will be upheld
Disadvantages of this method:
- User will need to enter their credentials twice (for Okta) or three times (for Azure)
- The process is longer and more complicated than for a standard Mac without Jamf Connect
Project implementation
If we are conducting a project for implementing Jamf Connect in your environment, please feel free to inform your implementation engineer which option you would prefer.
Need further support?
Automate. Simplify. Succeed. If you still require assistance with us or have any further questions, please raise a ticket with our support team.
Alternatively, please see our frequently updated knowledge base articles for reference.