- Jamf Nation Community
- Products
- Jamf Pro
- Filevault 2 deployment
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Filevault 2 deployment
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-13-2015 01:22 AM
Hi everyone,
I've been tasked with deploying FV2 to around 800 MacBooks. The majority of these are existing estate, and there are different use cases per machine. Some are many users to one laptop, others are simply one user to one laptop.
I've been looking at the best way to do this deployment and have come up with numerous different methods. I'd like to know how you guys are doing it.
Deployment as the management account does not seem to feasible as if the person triggers this in self service then restarts their mac they will be locked out of their machine if they do not have the recovery key. I was looking at forcing the one time 'no file vault login window at startup' option through fdesetup and then using an ongoing script at login to test if the user is a file vault 2 enabled user - if not prompt the user with a password entry box , which can then populate a plist to import this user as an enabled user. I have this part of the process working , but the only caveat is the command that allows you to bypass the file vault password screen at login is a one time deal, and I also believe it isn't compatible on all hardware?
The issue we have is 1) how the deployment is done - is it pushed/self served or a bit of both - i have a feeling it will be both
2) who does the deployment - the issue with this is, if a user does the deployment themselves through self service, they are the enabled user. At this point I cannot use my script to add existing users as enabled users as it will require me to know their username and password.
I spoke to JAMF support and was told that if i was using a combination of individual & institutional key with or without the management account , the JSS should handle the addition of any new local or mobile account to enabled users. I am 100% not seeing this at the moment. My drive is fully encrypted and if I login with new mobile accounts they are not added into fdesetup list.
The only way I can automate the addition of users to this list is by using the scripted login method.
I'm interested to hear peoples thoughts. Thanks :D
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-13-2015 05:36 AM
I gave a session on FileVault 2 and Casper at JNUC 2013, where I discussed how Casper's FileVault 2 management works. The video is linked here if you're interested:
Casper uses Apple's fdesetup tool for its FileVault 2 management, so it helps to understand the capabilities of fdesetup when looking at Casper's FileVault 2 management. I have posts on using fdesetup for both Mavericks and Yosemite available from the links below:
Managing Yosemite’s FileVault 2 with fdesetup
Managing Mavericks’ FileVault 2 with fdesetup
I'd also recommend checking out Casper's FileVault 2 management documentation:
http://www.jamfsoftware.com/resources/administering-filevault-2-with-the-casper-suite/
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-13-2015 06:01 AM
Hi Rich,
I've read both guides and also read the JAMF documentation on it. I'll check out the video though.
Im thinking of deploying with via self service as the management account initially enabled. Then an authenticated restart command to by pass the FV2 login window. At this point the user can then log back in, receive a password prompt box , populate a temporary plist and import with fdesetup.
I then may add the local admin account as an enabled user, and remove the management account. I'm thinking of removing the management account as I don't want this username displayed at the FV2 login screen on startup. I don't really like the idea of users knowing the username for the casper management account.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-13-2015 06:02 AM
I think maybe accounts aren't being automatically enabled is because I am testing on a Mavericks machine rather than Yosemite.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-13-2015 06:18 AM
Mobile accounts won't be enabled automatically by the OS. Once the Mac is encrypted, new local accounts created through System Preferences are automatically enabled for FileVault 2 by the OS.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-13-2015 06:23 AM
Really? I spoke directly with JAMF and they told me if I used the management account in the encryption then new local accounts or new mobile accounts would be automatically enabled.
Makes sense though as this is not working with mobile accounts in my testing.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-13-2015 07:10 AM
I have set up FV2 distribution using both individual/institution key option and set to enable FV2 at logoff with the option to cancel if one is not yet ready (Enabled FileVault 2 User set to "Current or Next User"). This allows us to push to the machine but the user can decide exactly when to pull the trigger and begin the encryption process. This does only enable one user to use the machine. (My scenario is a bit more simple than yours it seems)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-13-2015 07:16 AM
Require FileVault 2
Require users to enable FileVault 2 based on one of the following events.
Logon/Logout/2 logins
Im a bit unclear what this option means - is this referring to the adding of new users to the list of enabled file vault 2 users?
I didn't realise you the user could cancel out of it - what I am seeing is when the policy is delivered successfully it seems to flag the machine to be ready for encryption. Then on the next logout the file vault 2 password box for the user prompts which begins the encryption process.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-13-2015 07:29 AM
For the "Logon/Logout/2 logins" part, assuming this is on a Yosemite system, this is leveraging fdesetup's deferred enablement options. I have a post explaining how deferred enablement works on Yosemite available from here:
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-13-2015 07:31 AM
Thanks @rtrouton
