Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Smart Group and Advanced Search Criteria for FileVault

Overview

You can create smart computer groups and advanced computer searches using criteria for FileVault. This article explains those criteria and associated values, and provides an example of how the criteria can be used.

Requirements

For macOS requirements, see the Jamf Pro System Requirements section in the Jamf Pro Administrator's Guide.

FileVault Criteria

Smart Group or Advanced Search Criteria Values Usage Example
Disk Encryption Configuration

The FileVault disk encryption configurations in Jamf Pro.

Enter the name of a disk encryption configuration in the Jamf Pro, or click Browse to choose from a list.
Example:
Report on every computer in Site A that is not using the institutional recovery key that all Site A computers should be using. (For purposes of this example, the disk encryption configuration for Site A is named “Site A Institutional”.)

The criteria for this example is:

Disk Encryption Configuration is not Site A Institutional

FileVault 2 Eligibility

The computer’s eligibility for FileVault encryption

A computer is eligible or ineligible for one of three reasons. These ineligible reasons are available as values you can choose to use with this criteria.

Note: For all values other than “Eligible”, the search returns the first ineligible reason found, based on this order of priority:
1. No Recovery Partition
2. Recovery Partition Unusable Format
3. Unsupported OS Version
4. Legacy

Eligible

Legacy FileVault Encrypted

No Recovery Partition

Recovery Partition Unusable Format (recovery partition is in the HFS disk format)

Unknown (inventory has not been updated since the last Jamf Pro server upgrade or unable to assess eligibility due to an error)

Unsupported OS Version

Example:
Report on computers that are not eligible to be FileVault encrypted.

The criteria for this example is:

FileVault 2 Eligibility is not Eligible

FileVault 2 Individual Key Validation

Based on whether the individual recovery key on a computer matches the individual recovery key stored for that computer in the Jamf Pro server.

Invalid (does not match)

Unknown (macOS 10.8 or earlier, no recovery key in the Jamf Pro server to validate against, or inventory has not been updated since the last Jamf Pro server upgrade)

Valid (recovery key matches)

Example:
Report on computers that have been encrypted by the user with an individual recovery key, but the key has not been sent back to the Jamf Pro server or does not match the key stored in the Jamf Pro server.

The criteria for this example is:

FileVault 2 Partition Encryption State is Encrypted
-- and --
FileVault 2 Individual Key Validation is Unknown
-- or --
FileVault 2 Individual Key Validation is Invalid
-- and --
Operating System like 10.9

FileVault 2 Institutional Key

Based on whether an institutional recovery key exists on a computer

Not Present

Present

Example:
Report on computers from which the institutional recovery key has been removed.

The criteria for this example is:

FileVault 2 Institutional Key is Not Present
-- and --
Operating System like 10.9

FileVault 2 Partition Encryption State

The encryption state of the partition

Note: This criteria can be used with the “Partition Name” criteria to report on the encryption state of a specific partition you specify by name.

Decrypted

Decrypting

Encrypted

Encrypting

Ineligible

Not Encrypted

Unknown (inventory has not been updated since the last Jamf Pro server upgrade, or unable to detect encryption status due to an error)

Example:
Report on all secondary partitions that are encrypting. (For purposes of this example, the secondary partition is named “MacHD2”.)

The criteria for this example is:

Partition Name has MacHD2
-- and --
FileVault 2 Partition Encryption State is Encrypting

FileVault 2 Recovery Key Type

The recovery key type that is reported in inventory for a computer

Individual and Institutional

Only Individual

Only Institutional

Example:
Report on computers that are encrypted with only an individual recovery key.

The criteria for this example is:

FileVault 2 Recovery Key Type is Only Individual

FileVault 2 Status

The partitions that are FileVault 2 encrypted

All Partitions Encrypted

Boot Partitions Encrypted

N/A (no partitions are detected on
the computer, which is most likely due to an error)

No Partitions Encrypted

Example:
Report on all computers with FileVault 2-encrypted drives.

The criteria for this example is:

FileVault 2 Status is Boot Partitions Encrypted

FileVault 2 User

The specified user is a FileVault enabled user

Enter a username or click Browse to choose from a list of FileVault 2-enabled users.
Example:
Report on computers on which John Smith is a FileVault enabled user.

The criteria for this example is:

FileVault 2 User has John Smith

FileVault Status

The number of FileVault-enabled users out of the number of users that can be FileVault enabled

Note: This criteria applies to both FileVault 2- and Legacy FileVault-enabled users.

All Accounts

No Accounts

Some Accounts

Example:
Report on any computers that are Legacy FileVault encrypted:

The criteria for this example is:

(FileVault Status is All Accounts
-- or --
FileVault Status is Some Accounts)
-- and --
FileVault 2 Partition Encryption State is Ineligible

Partition Name

The name of a partition

This criteria is intended to be combined with the “FileVault 2 Partition Encryption State” criteria.

Note: This criteria is not limited to FileVault 2 reporting.

Enter a partition name or click Browse to choose the Boot Partition.
Example:
See the “FileVault 2 Partition Encryption State” example.

Additional Information

For information on creating smart computers groups and advanced computer searches, or managing disk encryption configurations with Jamf Pro, see the Jamf Pro Administrator's Guide.

For information on administering FileVault, see the Administering FileVault on macOS 10.14 or later with Jamf Pro technical paper.

Like Comment
Order by:
SOLVED Posted: by arekdreyer

Please update this article to include "Optimizing" for FileVault 2 Partition Encryption State. Thanks!

Like
SOLVED Posted: by Josemocha

Great resource!

Like

Jamf wants to hear your feedback around Jamf Pro: LDAP Servers and Reports!