While they all look similar, macOS has three separate screens that allow you to log in and start a new user session, decrypt the system volume at startup, or unlock an existing user session.
The screen used to sign in to a computer account will be familiar to any Mac user. But on closer inspection, you might have noticed that there are actually three similar yet slightly different screens that can ask for your computer password. Those three screens are the login window, the FileVault unlock screen and the lock screen.
- The login window is used to start a new user session or to re-enter an existing user session that is running in the background. This is the screen you see when the computer starts up. It can have user icons or a name and password form.
- When the system volume is encrypted, the FileVault unlock screen appears at startup or after waking up from standby or safe sleep. It will always have icons for the users who are enabled to decrypt the volume.
- The lock screen shows up when the computer has locked the computer after waking up from sleep, when the screen saver has locked the screen, or if some other event has triggered a lock. This screen will prompt for the password of the active user.
The login window is the screen that greets you after the system has finished the startup process that prepares the computer for use. This window consists of a list of user icons.
It is possible to configure login options in the Users & Groups preference to show only name and password instead.
This option will remove the icons from the login window, and you will instead just see a form with fields for the account name and password.
If you later return to the login window and there are user sessions already open in the background, those users will have a check indicator next to the account name.
If you have set the login options to show only a name and password field, there will be no visual indication that there are already open user sessions running in the background.
FileVault Unlock Screen
If you have enabled encryption on your computer with FileVault, the Mac will not be able to read the encrypted system volume until the encryption key is unlocked by a FileVault-enabled user. The computer will actually startup to a hidden pre-boot volume that shows a FileVault unlock window that looks just like the login window with icons for the enabled users (even if you selected name and password to be shown at the login window).
One indication that you are at the FileVault unlock screen is a progress bar that appears after you enter your password. This progress bar shows the status of decrypting the system volume.
When you successfully present credentials to decrypt the system volume, the computer will use the provided account credentials to log in instead of showing you the login window again.
Generally, all users on the computer will be enabled to decrypt FileVault. But it is possible that accounts created before FileVault was turned on, or users created through automation tools like MDM, may not be enabled to do so. In that case, you will only see the enabled users at the FileVault unlock screen.
After you log in with the enabled account and the computer is unlocked, you can then switch to another user account by selecting Login Window from the Fast User Switching menu.
After logging in with an enabled account, you may also choose to log out from the Apple menu.
In the FileVault tab of the Security & Privacy preference, you will see a warning that some users are not enabled for FileVault.
Clicking the Enable Users button will enable the remaining users to unlock FileVault.