Skip to main content

Why does Jamf Connect make users log in more than once?

Updated over 2 weeks ago

Description

The login prompts serve different purposes:

  1. First Login - This is typically one of these:

    1. FileVault unlock screen (pre-boot encryption)

    2. Local macOS account authentication

  2. Second Login - This is the Identity Provider (IdP) authentication (like Okta, Entra ID, etc.) which verifies your network credentials.

    • Note: This is actually a security feature, as it ensures both local device security and network identity verification.

For many enterprise environments, the default double-authentication is recommended for maximum security, especially for devices containing sensitive data.


Reducing Multiple Login Prompts

If you want to reduce the number of login prompts, there are several ways to address this depending on your security requirements:

  1. Using DenyLocal Setting

    • Setting DenyLocal to false in the Jamf Connect login settings allows Jamf Connect login to authenticate against the local account first and only check against your identity provider if a local account doesn't exist.

    • This will make sure that after a reboot, after authenticating with FileVault the Jamf Connect login window is not presented.

      While this improves user experience, it slightly reduces security.

  2. Configure Passthrough Authentication

Security Considerations

When deciding whether to modify these settings, consider:

  • If you disable the double authentication, you may lose the ability to immediately lock users out by changing their IdP account status.

  • FileVault authentication cannot be completely eliminated if you're using disk encryption (which is recommended for security).

More Resources

For more information on Jamf Connect login and FileVault see FileVault Behavior with Jamf Connect.


Did this answer your question?