Can the jamfmanagement account be hidden from the pre-boot login screen?

[jelockwood]

This script provides a means to add a secure token to the jamfmanagement account so that the jamfmanagement account can then successfully rotate the FileVault recovery key of Macs enrolled in to the JSS.

This script does indeed successfully accomplish that.

However a side-effect that could be expected is that the normally hidden jamfmanagement account becomes listed as a choice at the FileVault pre-boot login screen. Could the jamfmanagement account be re-hidden by perhaps using the -

fdesetup remove user

command or would this also remove the secure token for that account i.e. the jamfmaagement account?

[kc9wwh]

Hey @jelockwood, sorry for the major delay on this. I did test this quick where I left a user with a SecureToken by removed them as FV enabled and it did "hide" the account from the Preboot screen, however this causes another issue since in order to FV enable a user the "admin/granting" user needs to have both a SecureToken and be FV Enabled.

Unfortunately, I don't think this would be possible currently with macOS.

[jelockwood]

Yes I had since concluded that there was going to be no way to hide it from the FV login screen. The Jamf account needs a secure token to manage FV keys and even if otherwise configured to be a hidden account will show up. The pre boot login screen being a stripped down 'OS' is to limited to do anything else.

I am closing this issue.