Disabling FireVault

rowanquigley
New Contributor

...

4 REPLIES 4

calumhunter
Valued Contributor

enable FV escrow into the JSS? atleast that way you can unlock them

If they are admins they can do anything, so I wouldn't bother trying to stop them doing something. that only spurs them on more.

Instead put in systems that allow them to use filevault but also gives you the ability to provide support to them.

Make sure you check out everything by @rtrouton he's pretty much the authority on filevault
https://derflounder.wordpress.com/

rowanquigley
New Contributor

...

RobertHammen
Valued Contributor II

I assume you meant "FileVault"...

Honestly nothing good can come from kids being admins, but that's just my opinion.

Greg Neagle has a custom configuration profile to not disable FileVault. I assume it would work the other way around, but haven't tested it.

More details here:

https://managingosx.wordpress.com/2014/05/21/preventing-users-from-disabling-filevault-2/

rtrouton
Release Candidate Programs Tester

If you're 100% certain that you want to disable FileVault 2, the easiest way to do so is to remove the Recovery HD partition from the machines in question. FileVault 2 relies on Recovery HD in order to access the FileVault 2 unlock tools.

Without a valid and working Recovery HD on the machine, any attempt to enable FileVault 2 using either Apple's fdesetup command line tool or the FileVault preference pane in System Preferences will not succeed. This is because the FileVault 2 setup process will check for the presence of Recovery HD and will not proceed with encrypting the Mac if Recovery HD is not there.