Help

FileVault Policy Not working- Users go into Deferred Enablement

Go to solution
bassic
New Contributor III

Posted on ‎09-16-2019 04:56 AM

Hi Guys

I am having a rather frustrating issue with my FileVault policy. I have a configuration profile that Requires Filevault with a Personal Recovery Key, and is set to escrow it to our Jamf Server.

New Macs then have a Filevault policy applied during enrollment. This simply applies my Individual Key at next login.

It all seems to work fine- the Filevault messages come up at the next login saying that the encryption will be applied etc, however Filevault is not turned on. When I then run fdesetup status, I find that deferred enablement is enabled for the user, despite not having deferred enablement, or even having an option to do so.

Has anyone else come across this? Any help would be greatly appreciated.

Thanks

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
bassic
New Contributor III

Posted on ‎09-20-2019 02:44 AM

Thanks @alexjdale

Turns out the problem was to do with the secure token, or lack of. If this helps anyone else, the reason why there wasn't a secure token which prevented FV2 from enabling was to do with my workflow for deploying Non-DEP Macs.

Basically I was reinstalling macOS, then going through the OOBE to set up our local admin account, then installing NoMAD Login.
I then logged out and then logged in with the user's AD account before enrolling in Jamf and kicking off the DEP Helper which did the rest of the configuration.
I think the problem was that a secure token is only created for the first user setup on the machine- the account created using NoLO did not have one.

I resolved this by using Mac Deploy Stick to create the localadmin account and install NoLO before first login. Doing it this way a secure token was created when the user logged in with NoLO, and therefor my FV2 policy worked- happy days!

I hope this helps someone out there!

View solution in original post

0 Kudos
2 REPLIES 2

Go to solution
alexjdale
Valued Contributor III

Posted on ‎09-16-2019 11:07 AM

That is deferred enablement, at next login, with 0 deferrals allowed. FV is simply failing to enable, which can be caused by multiple possible issues. Recovery partition issue, no secure token, etc.

0 Kudos

Go to solution
bassic
New Contributor III

Posted on ‎09-20-2019 02:44 AM

Thanks @alexjdale

Turns out the problem was to do with the secure token, or lack of. If this helps anyone else, the reason why there wasn't a secure token which prevented FV2 from enabling was to do with my workflow for deploying Non-DEP Macs.

Basically I was reinstalling macOS, then going through the OOBE to set up our local admin account, then installing NoMAD Login.
I then logged out and then logged in with the user's AD account before enrolling in Jamf and kicking off the DEP Helper which did the rest of the configuration.
I think the problem was that a secure token is only created for the first user setup on the machine- the account created using NoLO did not have one.

I resolved this by using Mac Deploy Stick to create the localadmin account and install NoLO before first login. Doing it this way a secure token was created when the user logged in with NoLO, and therefor my FV2 policy worked- happy days!

I hope this helps someone out there!

0 Kudos