Today’s post-El Capitan update bug is a ghostly Guest User account that appears only on restarting a El Capitan Mac with FileVault 2 enabled and Guest User disabled in System Preferences:Users and Find My Mac enabled. The configuration for this pre-decryption login is running out of the UEFI EFI system partition. The one thing this Guest User can do is run Safari; the primary partition remains encrypted. There are no Parental Control options (that’s a problem).
I’ve read claims that this a feature. Some misguided Apple engineer thought it would be a good idea — a kind of Honey Pot that would tempt a thief to go online and thus trigger Find My Mac.[1] It becomes a problem with kids who have issues with internet abuse; they get an open browser.
My own suspicion is that this is a partly-implemented undocumented “feature” that is buggy because it was never tested. Maybe it was partly pulled from the release. Not only does it appear unpredictably it has other associated problems. If you enable the Guest account in System Preferences there’s sometimes an option to enable Parental Controls and sometimes not. Even when there is an option to enable Parental Controls it doesn’t actually work. I’m also unable to get a true Guest account to work — even when I don’t see the “safari only” warning in system preferences the Guest Account never decrypts the primary partition.
There may be more than one bug involved — perhaps something related to failure of new computer / upgrade to notify EFI infrastructure of a preference change. I suspect it’s the worst kind of bug — an undocumented feature that was partly pulled from a release and lurks in code.
It’s not new to El Capitan, it’s been happening intermittently since Lion. It may be more frequent in El Capitan. I updated two FileVault 2 machines from Yosemite to El Capitan and only one has the ghost account.
I reviewed 3 options on apple.stackexchange.com [2] dating as far back as Lion with updates for 10.11.
- lion - Guest login got enabled even though FileVault 2 is enabled and Guest login is disabled - Ask Different (First asked with Lion)
- OS X - How to disable the Guest account on OS X El Capitan - Ask Different (El Capitan version)
- lion - Guest login got enabled even though FileVault 2 is enabled and Guest login is disabled - Ask Different
[1] This has been seen as far back as Lion and there’s a good description in this Yosemite article in FileVault 2.
Ten Things You Might Not Know About FileVault 2 | Der Flounder - Dec 2014 ( - Yosemite)
One unusual feature of FileVault 2 is that sometimes a Guest User icon will appear at the pre-boot login screen.
Figure_4-Guest_account_appearing_at_the_FileVault_2_pre-boot_login_screen
When you log in as that guest user, you don’t get access to your hard drive. The only thing you get access to is Safari and a network connection. Quitting out of Safari will return you to the FileVault 2 pre-boot login screen.
Figure_5-Guest_account_restarting_to_Safari-only_mode
Figure_6-Guest_accounts_Safari-only_access
To my knowledge, Apple has never commented specifically about this guest user but it appears the guest user is an anti-theft measure. The guest user’s appearance at the pre-boot login screen is a feature tied to signing into iCloud and enabling the Find My Mac option.
Figure_7-Enabling_the_Find_My_Mac_option_in_System_Preferences_iCloud_preference_pane
One consequence of logging into the guest user is that, as soon as the Mac gets a network connection, it will immediately connect back to Apple and report its location information.
Figure_8-Computers_location_displayed_on_iClouds_Find_My_iPhone_website
If you don’t sign in with iCloud and then enable Find My Mac from that machine, the Guest User icon will not appear on the FileVault pre-boot login screen. That said, mobile device management solutions that track a machine’s location may also trigger the Guest User icon to appear.
[2] Apple has killed Apple Discussions with their latest update.
[3] Despite waiting a long time to do my El Capitan upgrade I ran into an unexpected behavior with an updated installer that wasn’t actually updated. So my main machine went to 10.11.2. I wonder if I’d actually gone to 10.11.5 if this problem would have shown up. It seems to be related to a bug with EFI partition updates.