Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

Enabling FileVault with Jamf Connect Login on macOS 10.15 or Later

This article explains how to enable FileVault with Jamf Connect Login on macOS 10.15 or later.

Overview

User data protections in macOS are managed by Apple's security framework, Transparency Consent and Control (TCC), which requires user approval for apps attempting to access some user data.

On macOS 10.15 or later, enabling FileVault disk encryption will require user approval. If using Jamf Connect Login to enable FileVault for users, administrators must manage pre-approval with the Privacy Preferences Policy Control payload settings via a computer configuration profile.

For more information about the Privacy Preferences Policy Control payload, see the following documentation from Apple: https://support.apple.com/guide/mdm/privacy-preferences-policy-control-mdm38df53c2a/web

Requirements

To install a configuration profile that approves FileVault enablement for computers with macOS 10.15 or later, the following requirements must be met:

  • User Approved MDM status For more information, see see the Managing User Approved MDM with Jamf Pro Knowledge Base article.
  • A local administrator account
  • Target computers with macOS 10.15 or later
  • Push notifications enabled

Approving FileVault Enablement

To ensure FileVault is enabled and users are not locked out of computers with Jamf Connect, the following computer configuration profile must be installed on computers with macOS 10.15 or later:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">
    <dict>
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>PayloadDisplayName</key>
                <string>Privacy Preferences Policy Control</string>
                <key>PayloadIdentifier</key>
                <string>com.jamf.connect.login.A228449A-F0D3-4A1E-AA6B-9D987CEB3013.com.apple.TCC.configuration-profile-policy</string>
                <key>PayloadOrganization</key>
                <string></string>
                <key>PayloadType</key>
                <string>com.apple.TCC.configuration-profile-policy</string>
                <key>PayloadUUID</key>
                <string>EB4F0B24-1A1C-4A6C-BEA6-DD41F7E6120B</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>Services</key>
                <dict>
                    <key>SystemPolicyAllFiles</key>
                    <array>
                        <dict>
                            <key>Allowed</key>
                            <true/>
                            <key>CodeRequirement</key>
                            <string>identifier "com.apple.authorizationhost" and anchor apple</string>
                            <key>Comment</key>
                            <string></string>
                            <key>Identifier</key>
                            <string>com.apple.authorizationhost</string>
                            <key>IdentifierType</key>
                            <string>bundleID</string>
                            <key>StaticCode</key>
                            <false/>
                        </dict>
                    </array>
                </dict>
            </dict>
        </array>
        <key>PayloadDisplayName</key>
        <string>TCC Settings for fdesetup from loginwindow</string>
        <key>PayloadIdentifier</key>
        <string>com.jamf.connect.login.A228449A-F0D3-4A1E-AA6B-9D987CEB3013</string>
        <key>PayloadOrganization</key>
        <string>ProfileCreator</string>
        <key>PayloadScope</key>
        <string>System</string>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadUUID</key>
        <string>A228449A-F0D3-4A1E-AA6B-9D987CEB3013</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
    </dict>
</plist>

In addition, an open source app built by Jamf for the Apple community can help with the identification requirements needed to allow some apps and processes to function within the Privacy Preferences Policy Control framework. This app is available on Jamf's GitHub repository: https://github.com/jamf/PPPC-Utility.

Approving FileVault Enablement for Standard User Accounts

If you want to use Jamf Connect Login to create a standard user account that is FileVault enabled, you must configure Jamf Connect Login with the Local Administrator Password Solution (LAPS) setting. This setting randomizes an already existing local administrator account password, uses the password to enable FileVault and create a personal recovery key, and then cycles the personal recovery key to become the local administrator password. This results in the configured LAPS user account and standard user account being FileVault enabled.

Note: The first FileVault enabled user account on a computer cannot be a standard user account.

To configure a LAPS user account, add the following preference key to your Jamf Connect Login configuration profile:

<key>LAPSUser</key>
<string>AdminUser</string>

Additional Information

  • For additional information about Jamf Connect Login, see the Jamf Connect Login section in the Jamf Connect Administrator's Guide.

For additional information about User Data Protections and FileVault, see the following Knowledge Base articles:

Like Comment

Jamf would like to understand your ideal online purchasing experience!