Jamf Nation Community

tcandela · ‎09-04-2015

I have a couple questions for creating a Disk Encryption Configuration

1 - does individual recovery key get stored in JSS ?
2 - If I choose 'management account' to be ENABLED, what 'management account' is it enabling?

is it the 'managed by' listed in the JSS for that computer in the General section ?

bkramps · ‎09-09-2015

@tcandela , you are right that if FV is not on, the enable FV for user option doesn't turn it on. What you could do is first, if you didn't already, create the Configuration Profile, "Filevault Recovery Key Redirection."

Once that config profile has been distributed, you can create your policy for the MeLocal account but don't check Enable User for FV2. In that policy, add an after script to turn on FV for MeLocal (assuming you know the password for MeLocal).

#!/bin/sh
echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>MeLocal</string>
<key>Password</key>
<string>MeLocalPassword</string>
</dict>
</plist>' > /Users/Shared/filevault.plist
fdesetup enable -inputplist < /Users/Shared/filevault.plist
rm /Users/Shared/filevault.plist

If you don't want to store the password in the clear in a plist, you can use the defer option to have you or the user enter the password at next login:

#!/bin/sh
fdesetup enable -user MeLocal -defer /var/tmp/fvkey.plist -dontaskatlogout -forceatlogin 0

You would just need to have another script run later after FV2 initialization to remove the fvkey.plist file since you don't want the key stored in the clear.

Hope this helps. Also refer to https://derflounder.wordpress.com/2013/10/22/managing-mavericks-filevault-2-with-fdesetup/ for further help.

View solution in original post

hkabik · ‎09-04-2015

Yes, individual keys are stored in the JSS when created.
Yes, the "managed by" account. This makes it less appealing to do so for those of us who prefer to keep that account hidden. I generally tend to use a FV2 enabled generic local account as our tech access for FV2 rather than our management account.

tcandela · ‎09-04-2015

@hkabik - the disk encryption configuration wizard gives me the following options (version 9.51)

-- Enable FileVault 2 user -- User to enable for FileVault 2 A -- Management account B -- Current or Next User

looks like i have to pick A or B when creating the configuration.

I also do not want to use the hidden managed account. I want FV2 ON and only 1 account enabled on these desktop computers.

for laptops i setup a config profile that turns ON FV2 at the next logout, it works great. Once 100% encrypted, my generic IT account gets created and enabled.

mm2270 · ‎09-04-2015

Then you want to choose option B. It will use the deferred enablement process for the next user that logs into the Mac. When they next log out they'll be prompted to enter their password to enable FileVault. If they do, it activates it and reboots the Mac.

Its also possible under 10.10 to enable users for FileVault at login, which forces them to enter their password to turn on FileVault in order to actually continue to log in. If they click Cancel, it brings them back to the login window.

tcandela · ‎09-08-2015

@mm2270 - thanks, I am already doing this for laptops, but for desktops I want to go a different direction.

For desktop computers I want to have only 1 account 'enabled' for FV2, and I want that account to be a certain account that i specify !!

for example; each desktop mac computer will have a local account = 'MeLocal', and this will be the only account on the computer that is filevault2 enabled. Desktop computers are a mix of AD joined and NOT AD joined and this setup is intended for both.

If i create a policy to create a local account, I can check the box to 'Enable User for FileVault 2'. But I am assuming FV2 must be ON at this point for this to work ??? if FV2 is NOT on will the local account be created and FV2 turned ON?

bkramps · ‎09-09-2015