As new Apple Silicon Macs (ASM) have begun making their way to organizations which use FileVault encryption to secure their fleets, a difference between Intel Macs and ASMs has become apparent.
Intel Macs:
- Supports account icons and password blanks at the FileVault login screen
- Unable to support username blanks at the FileVault login screen
- Unable to support smart cards for login at the FileVault login screen
ASMs:
- Supports account icons and password blanks at the FileVault login screen
- Supports username and password blanks at the FileVault login screen
- Supports smart cards for login at the FileVault login screen
Why the differences between platforms? For more details, please see below the jump.
Intel Macs
On Intel Macs, Apple is dependent on using the EFI login environment for the FileVault 2 login screen. This is a very limited environment in terms of functionality and is used in the FileVault 2 context to provide a way to boot the Mac while the main boot volume is locked by FileVault’s encryption. Once EFI has booted the Mac, the Mac then uses authentication from the user and the tools stored on the not-encrypted Preboot volume to unlock the much-larger encrypted boot volume.
EFI’s limitations mean that only a password blank is truly supported, with Apple having pushed the limits to support correctly matching up multiple account icons with the corresponding multiple account passwords.
Apple Silicon Macs
On ASMs, there is now a unified macOS login experience which includes FileVault logins. For details on this, I recommend checking out the Explore the new system architecture of Apple Silicon Macs session video from WWDC 2020. The explanation is available starting around 20:14.
On Apple Silicon Macs, macOS has a unified log-in experience. It supports a richer UI with accelerated graphics that is also consistent with macOS look and feel. This experience is made possible by fully booting macOS without requiring the user to unlock the system.
The unified log-in experience allows the introduction of new features even when FileVault is on. For example, it now has built-in support for authentication with CCID and PIV-compatible smart cards, as well as VoiceOver support for accessibility improvements.
In summary, the reason the FileVault login screen is different on ASMs is that Apple no longer needs to use the EFI login environment. Instead, ASMs are able to fully boot macOS while still securing user data within a locked volume which is protected by FileVault.
This is a huge leap forward for ASMs in terms of FileVault login functionality, as there is no longer a login functionality divide between enabling FileVault and not enabling FileVault. As of macOS Big Sur and the M1 ASMs, FileVault logins should now be able to use whichever authentication methods are supported by macOS. More importantly for the future, as native support for new authentication methods are added to the OS, FileVault logins should be able to use them natively as well.