Upvote if you want those extra keys to be added into Jamf Pro

https://www.jamf.com/jamf-nation/feature-requests/9074/add-extra-filevault-2-keys-to-jamf-pro

So I get an error when the profile attempts to install on a computer

The ‘FileVault Settings’ payload could not be installed. User authentication failed.

@DSI It's been very quiet in FB7361976 so far I just posted it here: https://openradar.appspot.com/radar?id=4980838227771392

@Cayde-6 Voted for the feature request, thanks!

Thank you @jordy.witteman

@jordy.witteman Question, are you doing "Config profile: require FV2 escrow
Policy with Disk Encryption: At next login" for all devices? Jamf support suggested just scoping this to 10.15+ and leaving the rest to just use the config profile....

Kinda sucks that jamf is just leaving admins to figure it out... still seeing new posts about this (https://www.jamf.com/jamf-nation/discussions/34159/filevault-deployment-broken-in-catalina) - since enabling & enforcing FV2 is a requirement for some of us, an acknowledgment of the issue ahead of time would have been nice along with a detailed workaround. Instead of leaving it up to the admins to be proactively involved in forums or the macadmin slack channel to know about this and not just find out about it through end user reports or testing.

For the policy general settings, does the trigger have to be at login as well? I currently have it set to Enrollment complete.

Even after the newest release of MacOS 10.15.2 and JamfPro with and JamfConnectVerify-1.2.1.pkg
& JamfConnectLogin-1.7.1.pkg, it is still not possible to enable FileVault by reboot :-(
Help!!!

@dsardaczuk You need to pester Apple, only they can fix the FV2 deferred at logout issue

settings:

Filevault payload:
individual and current or next user at next login

fresh wipe and install of 10.15.2
boot to local admin, not the first account made but an account made in JSS as part of workflow
asks to enable FV > do so
sys pref > FV off
log out and log in, asks to enable now again
terminal > sudo fdesetup status shows that FV is OFF and the deffered enablement appears active for (the user ive been logging into)
run the self service policy (does the same thing)
logs out user, logs back in without reboot, asks for Enable Now
i can enable manually and it shows the Jamf repo locations and lets me store it to JAMF, but i was hoping the process would be easier/more streamlined.

EDIT:
theres a config policy tied to it
Require Fv2 is not on
but enable escrow key is to the named location (company JAMF)
auto encrypt and decrypt recovery key

EDIT 2:

a few reboots later and the key is now stored in escrow in JSS and it tells me that the machine is encrypted....

this is confusing as heck

Happy new one...
is there still no fix, only workarounds?
In Mojave all works fine, only Catalina makes this problem.

depends what you mean by fix.

in our case, changing the workflow a little allowed us to get what we wanted, so we consider that an implemented change vs workaround.

so it really depends on how you define workaround/fix and what your process is like.

FYI, the build-in Jamf field to enable FileVault on logoff still does not work with Catalina 10.15.3. At this point, I think I'm going to give up on the configuration profile and use a policy to apply FileVault at login (which seems to work fine).

There is a bug utilizing a config profile to enable FileVault for Catalina on jamfpro 10.15.1. you will need to enable via policy. I would also push the config profile, but utilize to escrow keys for devices that needs a recovery key regenerated. Not sure if the bug resolved in recent releases of Jamf Pro, but we're about to upgrade to 10.18 so.. will let you know.

@srobert I don’t believe this is a jamf but, other MDMs have the same issue.

Apple are treating it as a bug with Catalina

AD bound Mac's, Mobile Accounts, FV and Keychain on 10.15.3 continues to be a utter mess.
Its kind of strange as Apple are continuing to support Mobile accounts with introducing bootstrap tokens but then break stuff that worked in 10.15.0.

Looks like Bootstrap tokens are working with DEP Catalina Jamf 10.18 which is good news, however the current dealbreaker is that the user must log out and not restart when FV is enforced via a Config Profile, otherwise encryption goes in to deferred mode and won't actually encrypt until the user next logs off (which they never will in a 1-1 Mac scenario). Plus everytime they restart they get prompted for their password to enable FV (which never does as it's deferred).

From what I gather if we enable via Policy (so that it enables at login) but try to enforce with a config profile (which only has the option for log out) you run the risk of an 'enable at log in but also at log out' conflict.

@GregE Are you forcing any restarts on the machine?

In our environment we have two scripts that require a reboot. We have FV enabled in the login as intended. When the machine restarts and the user logs in it's good to go. However, we are all on Mojave 10.14.6 at the moment, So I am not sure, if it's working properly on Catalina last time I relived this Bootstrap was still not working with DEP and there was a slew of other issues that I did not want to deal with at the time.

Next time I relive this I will post on my findings.

We're still in testing so haven't pushed this out to the fleet at all. Have been waiting for Bootstrap support from Jamf so are making a concerted effort to get this to work now (with zero-touch) since it's now supported (and Windows has been BitLockered for over a year). All my testing is in Catalina since that will be the way forward and everyone will be upgraded as part of this project.

One thing I'm finding though is that the Bootstrap token for the mobile account isn't being created upon login. My mobile account is a standard user, so I switch user in Terminal to the local admin account to run sudo commands (like sudo fdesetup list) and the local admin account (created in PreStage Enrolment in Jamf) will have a secureToken (even though it has never gone through the setup assistant) and thus my mobile account won't get the Bootstrap. Not sure if switching user in Terminal is what's causing this.

Just throwing out my findings on this, as our environment is experiencing this as we update to Catalina as well. If you Shutdown or Restart the issue persists, but if the user goes Apple Menu > Sign Out it does enable Filevault after being prompted and the key does get escrowed to JAMF successfully. Not ideal, but it's been a serviceable workaround for us as we build out a new way to script it that works for our environment.

Even in the new 10.19. it's not fixed. Known issue PI-007582 https://www.jamf.com/jamf-nation/my/products/known-issues.

@quip_MDavison
I am experiencing the same in my testing. If the Mac is Shut Down or Restarted FileVault will not encrypt. It has to be an actual Log Out. Obviously this is only for new enrollments and all upgrades are still encrypted as expected.

If you are using jamf connect login take a look at this:
https://travellingtechguy.eu/jamf-connect-and-laps/
We have managed to get it all working without prompt and without reboot / logout
Just make sure you have a generic local admin account as the defined admin user in your prestage, our local admin account we use is then pushed down using a policy after enrolment.
The generic account will then be the first admin account who is able to enable FV for all users and the PW is changed after escrowing to JAMF to the unlock key.

NOTE: While we have not moved this into production in testing it all worked fine without failures

this is a clickable link for the post from BOBW above...

have anyone found a work around or solution? When we sign out from the Apple menu, it still doesn't issue us the recovery key, when logged back in, in security and privacy, it stated that FileVault is turn off.

I didn't read all of this, but I'm a little confused about what the issues are. Its pretty simple. You need a Profile to enable key escrow and a Policy to enable encryption. Since we have technicians set up all our Macs, they go to a "Tech Tools" section in Self Service (via logon/LDAP) and run it from there. Its setup to prompt for the password at next logoff (or reboot).I confirmed this is working just in 10.15.1, 10.15.2 and 10.15.3.

hey @ScottSimmons thanks for the info and it works. Just a questions, it doesn't display the recovery key like all the Mojave devices, is that a normal behavior for all Catalina device(s)? Also do you guys have the policy scope it to all devices during the setup process or do you put add machines manually into the policy?