Skip to main content

Hi,

I noticed that rather many of my Mac clients are not FileVault encrypted even though I have configured a configuration that should take care of that. Now I wanted to ask what is the best practice to enable FileVault on all my Macs. As far as I know there is an option to enable it via Policy and one via Configuration Profiles. What is the difference there and what is recommended?

What I do is the following:

  1. Set up a disk encryption in a Config Profiles under ‘Security’ (the certificate will add itself)
  2. In my PreStage, I’ll then add the Filevault profile to the Config Profiles module
  3. I set up Escrow Buddy to capture any machines that have an invalid key or are not escrowed

 

 

My configuration profile for Filevault is similar to ​@Tangentism
You could run this against your Macs that don’t have Filevault setup via a smart group. 

Have it Enabled at “Force Enable In Setup Assistant” is nice too for new onboarded Macs.

 

Enabling FileVault across all your Mac clients is crucial for data security, and you're right that there are two primary ways to do it: via a Policy or a Configuration Profile. 

I have the same configuration as ​@Tangentism ! 
Escrow Buddy saved me from a lot of headaches trying to have all my laptops with a valid key 👌🏻

Enabling FileVault across all your Mac clients is crucial for data security, and you're right that there are two primary ways to do it: via a Policy or a Configuration Profile. 

@JakobHansen dont enable FileVault with a Policy. Using a Policy uses CLI to enable FileVault and apple has deprecated that workflow, it still works but it is not supported and can stop working at any point and does not prevent a user from disabling FileVault. Use a Configuration Profile.

Configuration Profile is the easiest method to do encryption at scale and especially with escrow.  I almost don’t even think about it anymore since it integrates easily.  I would make sure to test your workstation onboarding process for when to best add the configuration profile.  

I have the same configuration as ​@Tangentism ! 
Escrow Buddy saved me from a lot of headaches trying to have all my laptops with a valid key 👌🏻

@florent_bailly I’m just curious why use Escrow Buddy at all, doesn’t Jamf support this natively?

I have the same configuration as ​@Tangentism ! 
Escrow Buddy saved me from a lot of headaches trying to have all my laptops with a valid key 👌🏻

@florent_bailly I’m just curious why use Escrow Buddy at all, doesn’t Jamf support this natively?

@phunkywan It does actually. 
When I first started using Escrow Buddy it was to correct some curiosity I had in my fleet, my guess is it was related to our migration from Fleetsmith to Jamf Pro : some computers had FileVault enabled but in Jamf I had some irregularities like unvalid key, or FileVault appearing as not crypted. 
Escrow Buddy helped me put everything in order quite easily 😁

There are actually three ways to enable FDE - the last being you’re a jamf connect customer ;) 

Also, not to add insult to injury, but you can scrape the FV key from a jamf recon and upload it to whatever/wherever you want.  We used this as our “LAPS” password (changed the local admin account password to it)- but that’s soon to change when we implement Jamf LAPS.

Reply


Terms & ConditionsCookie settings