Setting a text-only login banner at the FileVault 2 pre-boot login screen
I got a notification today from Apple that one of my long-standing bug reports had been closed out as fixed. The bug report was Bug ID 9226657 – Need to set login banner on pre-boot login screen for encrypted Macs. They also pointed me at a new Apple KBase article, with a publication date of February 9th, 2012.
This has been a long-standing feature request of mine, so I’m glad to see it’s now been addressed. That said, there are some limitations to be aware of. See below the jump for the details.
1. You can set a lot of text, but you may cover up the pre-boot account icons and password blank.
As shown below, a security warning written with Twitter’s 140 characters in mind will serve you well.
2. You can set a login banner with
MCX defaults, but you may need to click a checkbox to apply it at the pre-boot login screen.
Update (March 22, 2012): It appears that you can’t do this entirely with MCX after all. Using defaults will set the banner for the login and lock screens. Using MCX will just set it for the login screen.
You can set the login banner’s text by using the following command
or by using its equivalent in MCX:
sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText “Your Text Here”
This text will apply right away to your screen saver lock screen and the OS login window.
However, to get it to apply at the pre-boot login screen you need to do this extra step in System Preferences: Security & Privacy.
Update: You only need to do the steps below in the event that the login banner wasn’t set prior to encryption. If the login banner text is set, then the encryption is enabled, the login banner will appear at the pre-boot login screen without additional action needed.
1. Apply your login window text
, either through MCX or by running the defaults command above.
2. Open the Security & Privacy preferences.
3. Select the General tab.
4. Click the the lock to unlock access to the settings.
5. In the Show a message when the screen is locked: settings, you should see the text of your login banner.
6. If unchecked, check the Show a message when the screen is locked: settings box. If already checked, uncheck and then recheck the box. This will trigger the pre-boot login banner to be written.
7. Verify that the pre-boot login banner is set by rebooting your Mac. The text should appear as shown below.
If you need something more full-featured for your security warning, you may also want to leverage Lion’s ability to display a policy banner . In this case, you can have a minimal warning at the pre-boot login screen, but your users would need to accept the policy banner’s dialog before the login process completes.