I have never tried to use an account for this that has never logged in to macOS before. If its not working on multiple devices I would wager its a change Apple has made with how secure tokens are handled.

The simplest workaround I can think of is to make a on demand policy (Self-Service or CLI trigger) with the Restart Options payload and check the "Perform authenticated restart on computers with FileVault 2 enabled" box.

Tried that but Jamf doesn't honor a -1 (do not restart on a timer) timeout value and displays a message even though "Start the restart timer immediately" is checked.

@DirkM I can't find a reference, and I've never tested it myself, but I recall being in a discussion early last year where it was mentioned that a token wasn't activated until a user actually logged in to the account. Since that matches your experience I'd say you're experiencing "Works As Expected"

The reboot comes from JAMF's Binary, not Apples MDM Framework. So, what JAMF's GUI has as options should work fine.

This is what I use, the timer is currently 60 minutes but I change it as needed. You can also just tell it to restart immediately if a user is logged in. Since its a policy you could run it with another policy using CLI and use JAMF helper to notify the user.

Tried your settings but still get the fde login (progress bar after entering name and password) after the manual (not waiting for the  timeout) restart . I no longer get the prompt though after removing the restart message.

According to Jamf, authrestart is broken on ASi Macs (PI102829) when using the fde recovery password (which is what the policy does), works in macOS 12+ only with logged in username/password.