10.7.4 login window changes for FileVault 2-enabled mobile users

FileVault 2 has a nifty invisible password update procedure for its enabled accounts (i.e. the accounts that show up at the pre-boot login screen) If you change your account’s password, the OS will automatically and invisibly update your FileVault 2 pre-boot login. This helps ensure that your account is consistently using the same password across the board.

However, there was a problem in 10.7.3. If your FileVault 2-enabled account was an Active Directory or Open Directory mobile account (where your password is being managed by the AD or OD directory service), it’s possible to change your password for your account without your Mac’s OS being aware of it. For example, many worksites have a policy that you must change your password every so many days and also provide a website where you can change your password. If your encrypted Mac was offline at the time, it may not receive that password change until the next time you started up.

What could happen in this case is the following:

1. Your account’s password gets changed outside the Mac.

2. You boot your encrypted Mac.

3. The pre-boot login screen would accept your old password.

4. The OS boots, contacts the directory service and finds out about the new password.

5. Your old password doesn’t match the new password.

6. The OS doesn’t allow the login process to complete.

To your users, it would appear that the login process gets stuck and they are not passed on through to their desktop like they’re supposed to be.

The video below shows what happens in 10.7.3 in this scenario:

The workaround was to log in with another authorized account at the pre-boot login screen. The user would then log out to the regular login window, then log in into their account with the new password. The login would succeed, which would in turn update the FileVault 2 pre-boot login to use the new password.

In 10.7.4, this behavior has been addressed with the following updated login process:

1. Your account’s password gets changed outside the Mac.

2. You boot your encrypted Mac.

3. The pre-boot login screen would accept your old password.

4. Next, you get the regular login window and type your account’s new password there. That will allow the login process to complete and also update the FileVault 2 pre-boot login to use the new password.

5. After that, you should get the option to allow you to update your login keychain’s password (just like a regular login where the password is changed.) Once done, your keychain should be using your new password as well.

The video below shows what happens in 10.7.4 in this scenario: