You'll need to pick one option or the other and that will also be true when scripting with fdesetup. The "next user" option uses fdesetup enable -defer.

An important thing to know about the -defer option is that it enables one single user account at the time of turning on FileVault 2 encryption. The -defer option does not enable multiple user accounts and cannot be used to enable accounts once FileVault 2 encryption has been turned on.

Ahh thanks Rich,

So i'd have to use the -defer flag or casper's next user configuration first and then wait until encryption is complete, then add the admin account?

sudo fdesetup add -inputplist < /path/to/filename.plist

Am I right in thinking that only the previously enabled user's password/recovery key will do for authorising the above command via the plist? Can an Institutional recovery key be used somehow?

Thanks

Matt

Matt,

You're correct, you will need the previously enabled user's password.

If it's available as a recovery key option, you may also be able to use the alphanumeric recovery key in the plist as that's listed as an option in the fdesetup man page. However, I have not been able to get that to work in my own testing.

Many thanks,
I'll give it a go and submit a ticket to apple when it doesn't work.
Might look into prompting the user for their password, but that seems like it might be asking for trouble/confusion!

Cheers

Matt

I bet : )

That Jamf has asked for this already. I would ask you Jamf rep for the feature/bug ID number and then ask your Apple rep to push it..