User profile for user: lw-rz-unia
lw-rz-unia Author
User level: Level 1
17 points

Platform SSO (Entra-ID) Problems with FileVault

We are currently preparing the rollout of platform SSO (with Entra-ID) for our macs to replace the AD-Binding altogether.


Our use-case requires the ability for every domain account to be able to log in as standard users to all regular devices. With 'EnableCreateUserAtLogin' in the new platform SSO feature this is now finally possible. Even the Problem with SecureTokens is now solved as our MDM now handles Bootstrap Tokens.


We have deployed the profile to a small test group and if the device is already running everything works as expected.


But if we enable FileVault and reboot there are some problems:


  • New users can not login if FileVault is not already unlocked
  • Already known users can not login with their Entra-ID credentials - they have to type their username without the '@' in their UPN


(AccountName is mapped to the 'preferred_username' claim as per documentation)

Posted on Feb 11, 2025 2:30 AM

Reply
2 replies
Sort By: 
User profile for user: lw-rz-unia
lw-rz-unia Author
User level: Level 1
17 points

Mar 30, 2025 10:41 AM in response to forest_

Sadly no, I tried looking into using another attribute via a custom claim - but platform SSO is no dedicated App in Entra so no luck with that either.


Using the users full name to log in works though - but that is more or less equally janky


I've also seen only one other post somewhere buried down in reddit about this issue - so either using FileVault or using the create user option is uncommon / unusual? Or is everyone still reliant on AD binding or is paying JAMF Connect?

Reply

Platform SSO (Entra-ID) Problems with FileVault

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up