When FileVault is enabled on your Mac, it changes how the login screen appears. Depending on your Mac’s hardware and macOS version, you may see either a list of user accounts or a generic username and password prompt. This article explains FileVault’s behavior, how you can verify the current settings, and how to use Swif’s Login Window policy to manage the login window configuration—while noting the limits imposed by FileVault.
Overview
FileVault provides full-disk encryption for your Mac, enhancing security by protecting your data. However, enabling FileVault also affects the login window appearance:
On Intel-based Macs (including T2-chip models):
The FileVault pre-boot environment typically displays a list of authorized users (with icons). After you unlock the disk, the regular login window settings are applied.
On Apple Silicon Macs (M*):
The FileVault unlock screen is designed to display a generic “Name and Password” prompt. FileVault on Apple Silicon (11.2 and greater) changes the way FileVault works. Instead of listing the provisioned users, you only view the login and text fields. This is a deliberate security measure, and this pre-boot authentication screen is controlled by FileVault and cannot be overridden by configuration settings or policies.
FileVault unlock vs macOS login distinction
When FileVault is enabled, users may encounter two separate authentication stages:
At power up, FileVault-enabled Macs boot into the FileVault partition, not macOS - the FileVault Unlock Screen is displayed.
User-entered credentials are compared with credentials in the Secure Enclave. On a match, the boot drive is decrypted, and booting into macOS proceeds.
When the Mac is booted, the Login Window is displayed.
More details about two separate authentication stages:
FileVault Pre-boot Unlock
Unlocks the encrypted startup disk
Only FileVault-authorized users appear at this stage
One indication that you are at the FileVault unlock screen is a progress bar that appears after you enter your password. This progress bar shows the status of decrypting the system volume.
macOS User Login
Standard macOS account authentication after the system boots
Depending on system configuration, users may see:
Only the FileVault unlock screen
Only the macOS login window
Or both screens sequentially
Why Users May Not Appear at the FileVault Login Screen
Only users authorized for FileVault can unlock the encrypted disk during startup.
A user may not appear if:
The account has not been granted FileVault access
The account does not have a Secure Token
The user was created after FileVault was enabled
The account is managed through an external identity provider without local authorization
How FileVault Influences the Login Screen
Intel-Based Macs
Pre-Boot Login:
At startup, these Macs display a list of FileVault-enabled user accounts. Once the disk is unlocked, the login window may switch to the mode configured in System Preferences or via management policies.Post-Unlock Behavior:
After unlocking, you may see the login window as configured by your local settings or by policies—either showing a list of users or a name and password field.
Apple Silicon Macs
Unified Boot Process:
Apple Silicon devices boot fully into macOS before prompting for FileVault credentials. The pre-boot FileVault unlock screen defaults to a generic username and password prompt.Security by Design:
This mode is intentionally enforced for security. Even if you configure local settings or deploy policies with Swif, the pre-boot authentication interface will continue to show the generic prompt. After unlocking, any subsequent login window (such as when logging out or switching users) may honor your configured settings.
How to Verify if FileVault Is Influencing Your Login Window
1. Check FileVault Status
Open Terminal and run:
fdesetup status
Output “FileVault is On” confirms that your disk is encrypted and that the FileVault pre-boot environment is active.
2. Verify the Login Window Setting
To check the current login window mode, run:
sudo defaults read /Library/Managed\ Preferences/com.apple.loginwindow SHOWFULLNAME
A result of
0(orfalse) means the system is set to display a list of users.A result of
1(ortrue) indicates that the system is set to show name and password fields.
Note: On Apple Silicon Macs, even if this setting is configured to display a list of users, the FileVault pre-boot unlock screen will continue to use the generic prompt.
3. Review Managed Profiles
If your Mac is managed, configuration profiles may override local settings. To list active profiles, run:
sudo profiles show
Review the output for any profiles related to the login window.
Configuring the Login Window via Swif’s Login Window Policy
Instead of manually applying changes with Terminal commands, you can use Swif’s Login Window policy to centrally manage this setting across your devices. In the Swif admin portal, you’ll find the following option in the Login Window policy:
Apple Login Window Policy Option:
Disable automatic login if FileVault is enabled (macOS 10.9+) (View more)
Blocks automatic login when FileVault disk encryption is turned on.
Values:
false – Automatic login and no separate login window after enabling FileVault. (Note, it doesn't work on an M* chip MacBook.)
true – Disables the automatic login option when using FileVault. In other words, if this is set to true and FileVault is enabled on the device, the user will first be presented with the username/password screen after a reboot to unlock FileVault. After FileVault is unlocked, the system will once again require a separate user login.
Default: false
Important: This value must be set to TRUE if you are using the Platform SSO policy on the same device.
Login window prompt configuration (View more)
Configure the system to prompt for both username and password at the login window, rather than displaying a user list.
Values:
false – Show a user list
Note, for the M* chip MacBook with FileVault on, the pre-boot and login screens always use a generic username and password prompt for enhanced security. Only when setting Root login (local and remote) (View more) to TRUE, the pre-boot and login screens show a list of FileVault-enabled users, like this:
true – Require username and password entry
Default: false
Setting Login window prompt configuration to FALSE and Root login (local and remote) to TRUE will configure your Mac (where allowed) to display a list of users prompt at both the FileVault pre-boot screen and the login window.
Summary
| FileVault | Disable automatic login if FileVault is enabled | Login window prompt configuration | Root login (local and remote) | Effect on FileVault unlock (pre-boot) window | Effect on Login Window |
Intel chip | ON | FALSE | FALSE | Any | Showing a list of FileVault-enabled users | Login Windows is skipped |
| ON | FALSE | TRUE | Any | Showing user name and password inputs | Login Windows is skipped |
| ON | TRUE | FALSE | Any | Showing a list of FileVault-enabled users | Login windows is showing a list of users |
| ON | TRUE | TRUE | Any | Showing user name and password inputs | Login windows is showing user name and password inputs |
| OFF | Any | FALSE | Any | n/a | Login windows is showing a list of users |
| OFF | Any | TRUE | Any | n/a | Login windows is showing user name and password inputs |
M* chip | ON | Any | FALSE | TRUE | Showing a list of FileVault-enabled users | Login windows is showing a list of FileVault-enabled users |
| ON | Any | FALSE | FALSE | Showing user name and password inputs | Login windows is showing user name and password inputs |
| ON | Any | TRUE | Any | Showing user name and password inputs | Login windows is showing user name and password inputs |
| OFF | Any | FALSE | Any | n/a | Login windows is showing a list of users |
| OFF | Any | TRUE | Any | n/a | Login windows is showing user name and password inputs |
FileVault’s Impact
Intel Macs (x86): The pre-boot screen shows a list of FileVault-enabled users, with post-unlock behavior determined by your automatic login settings.
Apple Silicon Macs (M*): The pre-boot and login screens always use a generic username and password prompt for enhanced security. When setting Root login (local and remote) to TRUE, the pre-boot and login screens show a list of FileVault-enabled users.
Verification
Use Terminal commands to check the FileVault status and the effective
SHOWFULLNAMEsetting.Review any active configuration profiles that may influence the login window.
Using Swif’s Login Window Policy
Instead of manually setting configurations with Terminal commands, use the Swif admin portal to deploy the Login Window policy.
Note that this policy applies where system settings allow it; FileVault’s pre-boot behavior on Apple Silicon remains unchanged.
If you need further assistance or have additional questions about FileVault or login window configurations, please contact our support team at help@swif.ai.
FileVault and Platform SSO
FileVault authentication occurs before macOS fully loads.
Because of this:
Platform SSO providers cannot authenticate users at the FileVault preboot screen
A local macOS account is still required to unlock the encrypted disk
After the disk is unlocked, Platform SSO may handle the standard macOS login flow
This behavior is controlled by macOS and applies to all MDM platforms.