Description
The login prompts serve different purposes:
First Login - This is typically one of these:
FileVault unlock screen (pre-boot encryption)
Local macOS account authentication
Second Login - This is the Identity Provider (IdP) authentication (like Okta, Entra ID, etc.) which verifies your network credentials.
Note: This is actually a security feature, as it ensures both local device security and network identity verification.
For many enterprise environments, the default double-authentication is recommended for maximum security, especially for devices containing sensitive data.
Reducing Multiple Login Prompts
If you want to reduce the number of login prompts, there are several ways to address this depending on your security requirements:
Using
DenyLocal
SettingSetting
DenyLocal
to false in the Jamf Connect login settings allows Jamf Connect login to authenticate against the local account first and only check against your identity provider if a local account doesn't exist.This will make sure that after a reboot, after authenticating with FileVault the Jamf Connect login window is not presented.
While this improves user experience, it slightly reduces security.
Configure Passthrough Authentication
This feature can help streamline the authentication process.
See Passthrough Authentication with Jamf Connect for the necessary keys for your Identity Provider.
Security Considerations
When deciding whether to modify these settings, consider:
If you disable the double authentication, you may lose the ability to immediately lock users out by changing their IdP account status.
FileVault authentication cannot be completely eliminated if you're using disk encryption (which is recommended for security).
More Resources
For more information on Jamf Connect login and FileVault see FileVault Behavior with Jamf Connect.