FileVault enablement dialog in Setup Assistant on 10.12.1

dgreening
Valued Contributor II

We have received some interesting post 10.12.1 update reports from our field staff which are testing Sierra for us.

It seems that upon update from 10.12.0 to 10.12.1, they are seeing a FileVault enablement dialog as part of the Setup Assistant. These machine are not currently FV encrypted of course. There is a check box to turn on FileVault, as well as allow your iCloud account to unlock the disk. Both items are checked by default. I have not yet had time to replicate this, but am working on it.

Has anyone else who is not suppressing the Setup Assistant seen this? I am wondering if there is a way to only suppress the FileVault prompt and let them see the rest of the Setup Assistant.

b9e56618441444e4ad21566df4d4942a

4 REPLIES 4

boberito
Valued Contributor

in4answers. I have seen similar issues and some people have FileVaulted when I don't want them to.

dgreening
Valued Contributor II

So the text seems to imply that when you allow iCloud to unlock the disk, no recovery key is created which could be escrowed into the JSS...

duffcalifornia
Contributor

With 10.10, Apple began pushing FileVault and having it encrypt by default as the standard, and it started giving it prominence during setup with the screen you've shown. They likely started doing this due to the percentage of machines having SSDs being at a high enough rate that the performance impact of the encryption wouldn't matter, combined with Apple's increased push for privacy and data protection. They did this through the setup screen you've shown.

Now, the problem you have here is that, since this happens after an update and not initial startup, this isn't part of the traditional Setup Assistant, so I'm not sure it's a screen you can suppress. You CAN suppress this part of the Setup Assistant, but only if the machine is part of a prestage enrollment.

Should a machine become encrypted, you could always add the management account to the list of users authorized to unlock the disk, then create a policy to reissue a recovery key.

mpermann
Valued Contributor II

In my experience, if the computer has an iCloud account linked to it Apple will offer to encrypt the drive as part of the setup assistant. I haven't seen this on my test systems that don't have an iCloud account linked to them.