FileVault 2 and Policy Scope

mike,

You may want to set up a smart group for machines that are not encrypted, scope your policy to that smart group, then set the Execution Frequency to be Ongoing.

Unfortunately, there's no way I know of to hide that Cancel button. The behavior you're seeing is a FileVault 2 failsafe, to make sure that you don't wind up with an encrypted laptop that nobody can log into.

Thanks for the reply! It sounds like I'm on the right track then. I had already setup the following smart group, hoping to catch only machines not yet fully encrypted.

FileVault 2 Status is not All Partitions Encrypted

<and>

Operating System like 10.8

Mike

You can't do anything to adjust the message that pops up at logout. That's controlled by the OS, not from your Casper Suite policy.
But you could build a Smart Group for any Macs that are not encrypted and running OS X 10.8.x and apply that to the Scope of the encryption policy, then set it to Ongoing. Once a Mac is encrypted it will fall out of the scope and not get the message again.

One note on this though, I discovered recently that the way Casper Suite captures the Filevault 2 status can lead to false positives or false negatives.

Basically, although in the details of a computer record you can see that a Mac is in the stage of encrypting, with a percentage complete, there is no way to build a Smart Group on that status. You can only tell if its completely encrypted or not encrypted, or only some volumes encrypted. Why we can't use items like the actual status that shows up in the Details view as part of a Smart Group criteria I have no idea, but essentially it means that for a period of up to a day some of our Macs show that they are "encrypting" at xx % complete, when in fact they are long done. This means they stay in the Not Encrypted group and keep getting our message pop up to log out, until their Mac submits new inventory status. I suppose we could find some way to get them to inventory sooner, but I came up with another method to help with this.
I built an Extension Attribute that basically uses 'diskutil cs list' to locate the corestorage volume and pull info from it. It reports back either "Not Encrypted" "Encrypted" "Encrypting" or "Decrypting" based on what it finds. If it happens to run on a 10.6 Mac it reports back "N/A"
Using that, we can build a group for any Mac reporting back "Not Encrypted" and use that as the scope for the policy.

I've got a similar extension attribute posted here:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/filevault_2_encryption_check/Casper%20Extension%20Attribute

Thanks to both of you for your help! It looks like it's working as expected in our labs -mike

Can I check what is the difference in using extension attribute method compared to just use the scoping method to check on whether the FileVault is enabled ???