We have a Thin Provisioning workflow, where we enable FileVault 2 for Current or Next User > At next logout:
We are planning to transition over to Management Account so we can manage FileVault 2:
We haven't started testing yet, but wanted to check in here, to see if anyone has transitioned between these two workflows, in case there are any known gotchas or recommendations.
We plan to transition as part of a workflow to re-issue FileVault 2 keys, long story short we had to transition from one server to another so FileVault 2 keys were left behind (normally we would redirect DNS but that was not an option at the time).
Post transition, we will have the Management Account will be FileVault 2 enabled...so we are looking into how to programmatically enable the next user for FileVault 2.
The caveat here is an LDAP user (meaning their account won't be created until the user gets the Mac and logs in.
Jamf Pro 9.x doesn't appear to have a policy option to "Enable next LDAP user for FileVault 2":
So once the computer is Thin Provisioned, it is shut down and delivered to the user, user logs in with LDAP credentials, and we would want that account to be enabled for FileVault 2.
Exploring options, guessing a Launch Agent to trigger a script to enable the current user for FileVault 2, the Launch Agent would then unload/deleted, and the script would remove itself.
Sound like the right direction? Any other ideas or best practices?
Comments? Questions? Snide remarks?
TIA,
Don
