Have any of you guys had issues with FileVault 2's deferred enablement feature since upgrading to El Capitan?
Here's the scenario I'm running into so far: Mac had FileVault 2 successfully deployed and encrypted via Casper using deferred enablement while running 10.10.x. Mac is then upgraded to 10.11.0. Filevault 2 is disabled via System Preferences and is allowed to fully decrypt. Running "fdesetup status" shows the following.
FileVault is Off. FileVault master keychain appears to be installed. Deferred enablement appears to be active for user 'username'.
And "fdesetup showdeferralinfo" shows this.
{ AskAtUserLoginMaxBypassValue = 0; CertPath = stdin; Certificate = <CERTIFICATEINFOGOESHERE>; Defer = 1; DontAskAtUserLogout = 1; OutputPath = "/Library/Application Support/JAMF/run/file_vault_2_recovery_key.xml"; Usernames = ( "username" ); }
Which these results should imply that when this username logs back in it should prompt them to enable FileVault 2, which it does not...
I've ran "fdesetup disable" and have confirmed that the status and showdeferralinfo commands show that FileVault is off and no deferral is set. I've then run the same FileVault 2 policy that we currently use with Yosemite and the deferred user continues to log in without a prompt after multiple reboots.
So far I've replicated this behavior on two Macs. I will be testing initial deferred FileVault 2 deployment to a freshly imaged 10.11 machine once I have an image prepared.
Has anyone else seen something like this with El Cap yet?
