Home > FileVault 2, Mac administration > Setting a text-only login banner at the FileVault 2 pre-boot login screen

Setting a text-only login banner at the FileVault 2 pre-boot login screen

I got a notification today from Apple that one of my long-standing bug reports had been closed out as fixed. The bug report was Bug ID 9226657 – Need to set login banner on pre-boot login screen for encrypted Macs. They also pointed me at a new Apple KBase article, with a publication date of February 9th, 2012.

This has been a long-standing feature request of mine, so I’m glad to see it’s now been addressed. That said, there are some limitations to be aware of. See below the jump for the details.

1. You can set a lot of text, but you may cover up the pre-boot account icons and password blank.

As shown below, a security warning written with Twitter’s 140 characters in mind will serve you well.

Screen Shot 2012-02-09 at 3.17.38 PM

Screen Shot 2012-02-09 at 3.17.59 PM

2. You can set a login banner with MCX defaults, but you may need to click a checkbox to apply it at the pre-boot login screen.



Update (March 22, 2012): It appears that you can’t do this entirely with MCX after all. Using defaults will set the banner for the login and lock screens. Using MCX will just set it for the login screen.

You can set the login banner’s text by using the following command or by using its equivalent in MCX:

sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText “Your Text Here”

This text will apply right away to your screen saver lock screen and the OS login window.

Screen Shot 2012-02-09 at 4.29.54 PM

Screen Shot 2012-02-09 at 4.31.09 PM

However, to get it to apply at the pre-boot login screen you need to do this extra step in System Preferences: Security & Privacy.

Update: You only need to do the steps below in the event that the login banner wasn’t set prior to encryption. If the login banner text is set, then the encryption is enabled, the login banner will appear at the pre-boot login screen without additional action needed.

1. Apply your login window text, either through MCX or by running the defaults command above.

2. Open the Security & Privacy preferences.

3. Select the General tab.

4. Click the the lock to unlock access to the settings.

5. In the Show a message when the screen is locked: settings, you should see the text of your login banner.

Screen Shot 2012-02-09 at 4.45.16 PM

6. If unchecked, check the Show a message when the screen is locked: settings box. If already checked, uncheck and then recheck the box. This will trigger the pre-boot login banner to be written.

Screen Shot 2012-02-09 at 4.45.19 PM

7. Verify that the pre-boot login banner is set by rebooting your Mac. The text should appear as shown below.

Screen Shot 2012-02-09 at 3.15.29 PM

Screen Shot 2012-02-09 at 3.15.43 PM

If you need something more full-featured for your security warning, you may also want to leverage Lion’s ability to display a policy banner . In this case, you can have a minimal warning at the pre-boot login screen, but your users would need to accept the policy banner’s dialog before the login process completes.

  1. February 13, 2012 at 2:49 am

    It appears that checking the box sets the LoginwindowText in nvram for the pre-boot environment — `nvram -p | grep good-samaritan-message`

  2. August 15, 2012 at 1:59 am

    I was just trying this on a newly deployed image on 10.7.4 and I am getting an error in ARD when issuing the command. Unexpected arguments your; leaving defaults unchanged. That isn’t exactly a clear message and looks like broken English. I never touched the GUI and I’m wondering if that is a requirement.

  3. August 15, 2012 at 2:01 am

    I should add that all I’m trying to do is add text to the loginwindow – sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText “Your Text Here”

  4. August 15, 2012 at 10:45 am

    Kurt,

    Does the text you’re adding include any apostrophes or quote marks? I’ve seen those cause problems for the defaults command.

  5. August 16, 2012 at 2:54 am

    Unfortunately it doesn’t. I even tried the “Your Text Here” just to see. I’m going to try it on a different image and see if I find success. I’ll post back.

  6. Reliant
    November 28, 2012 at 6:38 pm

    Dang, did they change this in 10.8.2? on the FV2 screen it will now only show 3 lines of text with out a scroll bar.

    Also I cant get the set defaults command to work like Kurt. :/

    Speaking of FileVault I really hope they enable an option to turn off the pre boot. I know we can disable it one time on reboot but it would be great to be able to turn that off if you wanted to.

  7. July 8, 2013 at 6:45 pm

    we are setting our login banner using a profile, but it will not show up at the Filevault login screen. Any ideas?

  8. Kevin
    March 26, 2014 at 8:18 pm

    RIch -
    Are you aware of a method of changing the Recovery Key help message from:

    “Change message If you forgot your password, you can… …reset it using your Recovery Key”

    to some other message? My organization utilizes Casper to centrally manage individual recovery keys and we’d like to instruct users (via this message) to contact the help desk or some much team.

    Any thoughts?

    Thanks again,
    Kevin

  9. Tim Kimpton
    November 19, 2014 at 10:08 am

    Any idea if its possible to get more that 3 linesof text in fv2?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 167 other followers

%d bloggers like this: