Skip to main content

Disabling an Existing Local Account for FileVault
Log in to the JSS with a web browser.

Click Computers at the top of the page.

Click Policies.
On a smartphone, this option is in the pop-up menu.

Click New images/download/thumbnails/5832871/New_icon.png .

In the General payload, enter a display name for the policy. For example, “Disable Local Account for FileVault“.

images/download/attachments/12979842/DEC_Policy.png
Select a trigger and execution frequency.

Select the Local Accounts payload and click Configure.

Choose “Disable User for FileVault 2” from the Action pop-up menu.

images/download/attachments/12979842/LocalAccounts_DisableforFV2.png
Enter the username of the user you want to disable for FileVault.

(Optional) Select the Maintenance payload and then select the Update Inventory checkbox so that the FileVault-enabled status for the local account is updated in inventory immediately when the policy runs.

Click the Scope tab and configure the scope of the policy.
Note: If applicable, you can use the smart computer group you created in “Creating a Smart Group of Computers for Which a Specified User is Enabled for FileVault” as the scope for the policy.

images/download/attachments/12979842/Scope.png
Click Save.

The policy runs on computers in the scope the next time they check in with the JSS and meet the criteria in the General payload.

@dgeiler I don't see a question in what you’ve posted (which looks to be the instructions on how to deploy a policy to remove a user’s FileVault access). Be aware that if the user is the only one with FileVault access you cannot remove their access because at least one user must have FileVault access and removing someone’s access does not turn off FileVault.

We do something like this as part of our (current, soon to be replaced) build process, but there is a check to make sure that the build account being deleted is not the last one (as ​@sdagley mentions above).  Fortunately, this process is being replaced with a much more modern one.

The title of your post and the body don’t match.

 

Your question, how to disable an existing local FileVault user? You generally need to do this locally on the device. Even if you disable FileVault the user still keeps their FV token and when to enable FileVault next they automatically have access again. FileVault Tokens are closely related to Secure Tokens and Disk Ownership, so you cannot really use Jamf to remove these as Jamf uses CLI for stuff like this which uses a Bootstrap token which lacks the authorization to modify a Secure Token holding account. Apple has not built a way to manage Secure Token holding users in to the MDM framework, so this is not a gap Jamf can close.

 

As far as your instructions, you should not be using a policy to manage FileVault. You can still technically turn on FileVault with a policy, but this uses the fdesetup binary which apple has deprecated. It still works but, Apple is not updating it for changes in macOS like Secure Tokens and Apple can kill it at any moment without notice. The Disable Local Account for FileVault 2 wont work.

 

 

https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Activating_FileVault_Disk_Encryption_using_a_Configuration_Profile.html

Terms & ConditionsCookie settings