Is this possible using casper encryption configurations or do I have to script it using fdesetup?
Cheers
Matt
Answer
Adding management account AND the next user to Filevault 2
+7Best answer by rich.trouton
You'll need to pick one option or the other and that will also be true when scripting with fdesetup. The "next user" option uses fdesetup enable -defer.
An important thing to know about the -defer option is that it enables one single user account at the time of turning on FileVault 2 encryption. The -defer option does not enable multiple user accounts and cannot be used to enable accounts once FileVault 2 encryption has been turned on.
You'll need to pick one option or the other and that will also be true when scripting with fdesetup. The "next user" option uses fdesetup enable -defer.
An important thing to know about the -defer option is that it enables one single user account at the time of turning on FileVault 2 encryption. The -defer option does not enable multiple user accounts and cannot be used to enable accounts once FileVault 2 encryption has been turned on.
+7Ahh thanks Rich,
So i'd have to use the -defer flag or casper's next user configuration first and then wait until encryption is complete, then add the admin account?
sudo fdesetup add -inputplist < /path/to/filename.plistAm I right in thinking that only the previously enabled user's password/recovery key will do for authorising the above command via the plist? Can an Institutional recovery key be used somehow?
Thanks
Matt
Matt,
You're correct, you will need the previously enabled user's password.
If it's available as a recovery key option, you may also be able to use the alphanumeric recovery key in the plist as that's listed as an option in the fdesetup man page. However, I have not been able to get that to work in my own testing.
+7Many thanks,
I'll give it a go and submit a ticket to apple when it doesn't work.
Might look into prompting the user for their password, but that seems like it might be asking for trouble/confusion!
Cheers
Matt
+16I bet : )
That Jamf has asked for this already. I would ask you Jamf rep for the feature/bug ID number and then ask your Apple rep to push it..
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.