The past year has seen a significant change in things throughout the world. It has been almost a year since the entire world was turned upside down with Covid-19. One of the biggest changes that has been made is that many more users are working from home. This has included many people, like myself, taking their work laptops home in order to be able to work.
Quite often laptops are connected to a directory service, like Microsoft’s Active Directory, or LightWeight Directory Access Protocol, or LDAP. For many, when new devices are setup and configured, they are connected to Active Directory or LDAP. macOS can connect to an Active Directory domain. If you are physically in an office, then it is not a problem, it will always be connected. However, issues can arise when a device is connected remotely. I have run into an issue with my setup. It was originally configured while at the office, and it was connected to Active Directory. This has not been much of a problem, except for an issue that has only turned up since I have upgraded to macOS Big Sur. Before we get to the problem that I am experiencing, let me discuss the setup.
As mentioned, my work laptop is connected to an Active Directory domain. I connect to work by using a Virtual Private Network, or VPN. Once I am connected I have full access as if I was in the office. The VPN setup we use requires its own software to use, and I cannot connect using the native macOS VPN connection.
When the MacBook Pro was setup, it was configured to use a Mobile Account. This means that the network credentials can be used to login and be able to use the cached credentials when connecting to resources without needing to enter in the same credentials time and again. This configuration also allows me to use Touch ID on the MacBook Pro.
Along with being configured for a mobile account and active director, there are also two local administrator accounts, as a precaution. One that I know the password to off the top of my head, and the other I would have to look up, but I can look up if absolutely necessary.
When working from home, I typically use my 27-inch iMac for most of my work and my MacBook Pro is used for work-specific applications, like chat, email, and video conferencing. I have all of my favorite development tools on my iMac, so I prefer to use that; along with the larger screen size.
I have a Mac mini that sits at the office, which does not have the same issue, probably because it is always connected to the Active Directory domain. I am typically connected to the Mac mini when I am working, by using Screen Sharing. Now that we have discussed the setup, let us get to actual problem.
With each security update to macOS Big Sur I have run into an issue after upgrading. When the update finishes and the login screen shows, I attempt to log in to my account. But I get the following error: “This account has been locked. Please try again in 15 minutes”. This is on the first login attempt after upgrading.
The first time I got this, with the upgrade to macOS Big Sur 11.1, I was baffled, but after 15 minutes I was able to login. I noticed it, but was not too concerned. I experienced the same thing again when upgrading to macOS Big Sur 11.2. Again, it indicated my account was locked out for 15 minutes.
I recently upgraded to 11.2.1, and again the same thing issue occurred, albeit with a slight twist, and it was much worse. Instead of being 15 minutes, it was 30 minutes. As was the case in the past, I waited the necessary amount of time and attempted to login. Unlike the prior instances, my account would not login. After trying a couple more times, it indicated that my account was locked for an hour. Again, I waited the hour, attempted to login, but could not. I was able to find a workaround.
Since I could not login with my mobile account, I logged into one of the local administrator accounts, to verify that I could still login, and I could. I then connected to the office using the VPN. This was so that I could verify that it was an issue specific to the MacBook Pro and not my active directory account. The fact that I could login means that it was not an issue with my Active Directory account and this verified that the issue was definitely restricted to my MacBook Pro.
Since I was able to login using the local admin account, I then tried connecting my MacBook Pro to a hotspot to be able to try and connect via the VPN to be able to access resources. Unfortunately, this did not work. The routing just was not setup properly, and since the hotspot I was using was my iPhone, it would be quite difficult to setup a proxy and have everything work as expected.
On a whim, I tried to connect from my iMac to the MacBook Pro, using Screen Sharing, while I was logged into my local admin account. However, instead of using my local admin credentials to connect, I tried to use the mobile account credentials. Shockingly, they worked. It should be noted, that the login window still indicated that my account was locked.
Now, if you have used Screen Sharing before, once you have validated your credentials, whether they are local or in my case a mobile account, you are given two options. You can either “Share the Display” or “Login as yourself”. I opted to login as myself, in this case is the mobile account. Again, shockingly, this actually worked. I was logged in again to my Mobile Account, which is great. When I logged in, this disconnected the VPN connection on my local admin account.
At this point, I knew I was logged in, and that the account was working. I then logged into the MacBook Pro locally, and it was logged in. In order to verify that I would be able to login again, I closed the lid so that the laptop would sleep. I re-opened the lid, and guess what I saw. “This account is locked for 28 minutes”. Again, I waited 30 minutes, to give it a bit of extra time, and I was able to login without any issues. I repeated closing the lid, opening, and re-logging in two more times just to be sure. As of right now, it is working as expected. Even though I did find a work around, it is not something I would expect a normal user to be able to, nor have to, do in order to access their account. After doing some mulling on the issue, I have a notion as to what is happening.
What I think is happening
I think I have an idea as to what is happening. I think when macOS is performing its updates, it is logging back into the same user account that was logged in when the update was started, in my case my mobile account. When this login happens, I think one of the following situations is occurring.
The first possibility it is logging in and not waiting long enough to validate the credentials. The second possibility is that it is logging in with incorrect credentials and locking the account. The third possibility is that the credentials cannot be validated with the Active Directory server after a reboot, because it is not connected via the VPN, so it is locking the account due to trying to connect, but not being able to do so.
The fourth possibility is that macOS is just messing up and falsely indicating that the account is locked, when in fact it is not. In particular, the Login Window process thinks the account is locked and will not allow it to login. I suspect this may be a possibility because I was able to successfully login using Screen Sharing, which should not have been possible if the account was truly locked. Do not get me wrong, I am glad that I was able to login with Screen Sharing so that I could actually login properly.
If the mobile account was indeed locked and I was still able to login via Screen Sharing, then this would be a significant security issue. However, there may be an explanation for this. When I connected with my mobile account via Screen Sharing, I was connected to my office via the VPN using my local administrator account. Since the VPN was active, I think that it may have been able to authenticate with the Active Directory domain, which may have allowed me to login. Although, if the account was locked, it should not have allowed me to login.
I do not have a definite solution. However, I think the next time there is an update I may try logging out of the mobile account and using the local administrator account I have instead of using the mobile account and seeing if the mobile account is locked out again.
I am thinking that the root cause is the fact that it cannot connect to the Active Directory server. I think this because of the fact that I do not have any issues with the Mac mini when performing updates. The only difference is that the Mac mini is connected all of the time, whereas the MacBook Pro requires the VPN to connect the Active Directory server.
I am glad that I was able to find a way around the issue. However, I still suspect that the root cause is macOS Big Sur. There have been numerous other reports of this happening. Some are on JAMF, while there are other reports on the Apple Discussion forums, here, here, and here. It does appear as though all of the accounts are Active Directory accounts.
I hope that logging out of the mobile account and using the local admin account will fix the issue, but I will not be able to know for sure until I update to macOS 11.3, or 11.2.2. macOS 11.3 is currently in beta, and will likely be out sometime this spring. Regardless of this being a workaround, Apple needs to figure out how to work around this issue, particularly given that there will be an increasing number of people who are, and will continue to be, working from home.