Home > Apple Silicon, FileVault 2, Mac administration, macOS > FileVault login screen differences between Intel and Apple Silicon Macs

FileVault login screen differences between Intel and Apple Silicon Macs

As new Apple Silicon Macs (ASM) have begun making their way to organizations which use FileVault encryption to secure their fleets, a difference between Intel Macs and ASMs has become apparent.

Intel Macs:

  • Supports account icons and password blanks at the FileVault login screen
  • Unable to support username blanks at the FileVault login screen
  • Unable to support smart cards for login at the FileVault login screen

Screen Shot 2021 01 16 at 5 50 36 PM

ASMs:

  • Supports account icons and password blanks at the FileVault login screen
  • Supports username and password blanks at the FileVault login screen
  • Supports smart cards for login at the FileVault login screen

Screen Shot 2021 01 16 at 6 00 32 PM

Screen Shot 2021 01 16 at 6 13 52 PM

Why the differences between platforms? For more details, please see below the jump.

Intel Macs

On Intel Macs, Apple is dependent on using the EFI login environment for the FileVault 2 login screen. This is a very limited environment in terms of functionality and is used in the FileVault 2 context to provide a way to boot the Mac while the main boot volume is locked by FileVault’s encryption. Once EFI has booted the Mac, the Mac then uses authentication from the user and the tools stored on the not-encrypted Preboot volume to unlock the much-larger encrypted boot volume.

EFI’s limitations mean that only a password blank is truly supported, with Apple having pushed the limits to support correctly matching up multiple account icons with the corresponding multiple account passwords.

Apple Silicon Macs

On ASMs, there is now a unified macOS login experience which includes FileVault logins. For details on this, I recommend checking out the Explore the new system architecture of Apple Silicon Macs session video from WWDC 2020. The explanation is available starting around 20:14.

Screen Shot 2021 01 17 at 11 51 39 AM

On Apple Silicon Macs, macOS has a unified log-in experience. It supports a richer UI with accelerated graphics that is also consistent with macOS look and feel. This experience is made possible by fully booting macOS without requiring the user to unlock the system.

The unified log-in experience allows the introduction of new features even when FileVault is on. For example, it now has built-in support for authentication with CCID and PIV-compatible smart cards, as well as VoiceOver support for accessibility improvements.

In summary, the reason the FileVault login screen is different on ASMs is that Apple no longer needs to use the EFI login environment. Instead, ASMs are able to fully boot macOS while still securing user data within a locked volume which is protected by FileVault.

This is a huge leap forward for ASMs in terms of FileVault login functionality, as there is no longer a login functionality divide between enabling FileVault and not enabling FileVault. As of macOS Big Sur and the M1 ASMs, FileVault logins should now be able to use whichever authentication methods are supported by macOS. More importantly for the future, as native support for new authentication methods are added to the OS, FileVault logins should be able to use them natively as well.

  1. January 17, 2021 at 5:46 pm

    Very cool, still eating foe my M1 Mac Mini. They lost the first one, ugggg

  2. Vince
    January 17, 2021 at 8:08 pm

    What are the implications for using network based authentication (such as Active Directory) for FileVault enabled users who have changed their password? Since macOS is booted, do we get some network connectivity at FV login?

    • loadbang
      January 18, 2021 at 5:08 pm

      Or have remote access from a clean reboot. Screen Sharing, Teamviewer, Connectwise Control, that sort of thing.

      • bradp
        April 9, 2021 at 7:03 pm

        I have the same question as it seems ARD no longer works for me when M1 Mini is sitting at at the login window (such as after a power event.)

  3. January 21, 2021 at 7:23 am

    Does this work on Big Sur
    sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutologin -bool YES

  4. Sam
    January 21, 2021 at 4:50 pm

    I think I saw that you cannot get the username/password fields on apple silicon with a config profile. You have to run:
    sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true
    sudo diskutil ap updatePreboot /

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: