FileVault Enryption best practice

What I do is the following:

1. Set up a disk encryption in a Config Profiles under ‘Security’ (the certificate will add itself)
2. In my PreStage, I’ll then add the Filevault profile to the Config Profiles module
3. I set up Escrow Buddy to capture any machines that have an invalid key or are not escrowed

My configuration profile for Filevault is similar to ​@Tangentism. 
You could run this against your Macs that don’t have Filevault setup via a smart group. 

Have it Enabled at “Force Enable In Setup Assistant” is nice too for new onboarded Macs.

Enabling FileVault across all your Mac clients is crucial for data security, and you're right that there are two primary ways to do it: via a Policy or a Configuration Profile. 

I have the same configuration as ​@Tangentism ! 
Escrow Buddy saved me from a lot of headaches trying to have all my laptops with a valid key 👌🏻

​@JakobHansen dont enable FileVault with a Policy. Using a Policy uses CLI to enable FileVault and apple has deprecated that workflow, it still works but it is not supported and can stop working at any point and does not prevent a user from disabling FileVault. Use a Configuration Profile.

Configuration Profile is the easiest method to do encryption at scale and especially with escrow.  I almost don’t even think about it anymore since it integrates easily.  I would make sure to test your workstation onboarding process for when to best add the configuration profile.  

@florent_bailly I’m just curious why use Escrow Buddy at all, doesn’t Jamf support this natively?

​@phunkywan It does actually. 
When I first started using Escrow Buddy it was to correct some curiosity I had in my fleet, my guess is it was related to our migration from Fleetsmith to Jamf Pro : some computers had FileVault enabled but in Jamf I had some irregularities like unvalid key, or FileVault appearing as not crypted. 
Escrow Buddy helped me put everything in order quite easily 😁

There are actually three ways to enable FDE - the last being you’re a jamf connect customer ;) 

Also, not to add insult to injury, but you can scrape the FV key from a jamf recon and upload it to whatever/wherever you want.  We used this as our “LAPS” password (changed the local admin account password to it)- but that’s soon to change when we implement Jamf LAPS.