FileVault Policy marked as failed but encryption is enabled successfully

Question

Hi,

I've got an Interesting situation with some random machines that get imaged in Casper 9.82, OS X 10.11.3.

There is a separate policy configured with the trigger enrollment complete, to deploy our FileVault configuration with an Institutional Recovery Key. I discovered that this policy fails sometimes according to the policy result.

However after checking the affected machine I see that the encryption is enabled successfully so I'm not sure why this results in a failure.

The log results for a successful run is normally like this:

Executing Policy Configure FileVault 2Fixing Permissions...Fixing ByHost files...Flushing System Caches...Flushing User Caches...Verifying Disk mounted at '/'Result of disk verification:Started file system verification on disk0s2 Macintosh HDVerifying file systemUsing live modePerforming live verificationChecking Journaled HFS Plus volumeChecking extents overflow fileChecking multi-linked filesChecking catalog hierarchyChecking extended attributes fileThe volume Macintosh HD appears to be OKFile system check exit code is 0Finished file system verification on disk0s2 Macintosh HDAdding institutional recovery user from keychain.fdesetup: adding user 'local-admin' to FileVault.......................FileVault is Off, but will be enabled after the next restart.

The failed result reports this:

Executing Policy Configure FileVault 2Fixing Permissions...Fixing ByHost files...Flushing System Caches...Flushing User Caches...Verifying Disk mounted at '/'Result of disk verification:Started file system verification on disk1 Macintosh HDVerifying storage systemChecking volumedisk0s2: Scan for Volume Headersdisk0s2: Scan for Disk LabelsLogical Volume Group 69702427-3079-4304-9948-7AF723A84DB0 on 1 devicedisk0s2: Scan for Metadata VolumeLogical Volume Group has a 24 MB Metadata Volume with double redundancyStart scanning metadata for a valid checkpointLoad and verify Segment HeadersLoad and verify Checkpoint PayloadLoad and verify Transaction SegmentLoad and verify Transaction SegmentLoad and verify Transaction SegmentIncorporate 2 newer non-checkpoint transactionsLoad and verify Virtual Address TableLoad and verify Segment Usage TableLoad and verify Metadata SuperblockLoad and verify Logical Volumes B-TreesLogical Volume Group contains 1 Logical VolumeLoad and verify E51CCCFD-9B79-48A3-9F9B-1BA8F5F6954CLoad and verify C9A4354B-7C22-423B-B258-CDE8D9B298EALoad and verify Freespace SummaryLoad and verify Block AccountingLoad and verify Live Virtual AddressesNewest transaction commit checkpoint is validLoad and verify Segment CleaningThe volume 69702427-3079-4304-9948-7AF723A84DB0 appears to be OKStorage system check exit code is 0Verifying file systemUsing live modeFile system check exit code is 0Finished file system verification on disk1 Macintosh HD

So apparently the policy quits logging after the Hard Drive check, sends it back to the JSS, the result is missing crucial "success" information and gives a failure.

Any idea what's going on here?

Thanks in advance!

skeb1ns · Accepted Answer

This problem is resolved as far as I'm concerned, there is something fishy going on with the enrollementComplete trigger that is specified in my first boot script. This trigger works fine but isn't updating the policy results in Casper, which results in all enrollment policies running twice.

Not a big of a deal .

mikeh · Answer

By any chance, are the storage systems on the failed systems Fusion Drives?

The error message you posted looks exactly like the log from Disk Utility when it verifies a Fusion Drive.

[edit] The only reason I mention this is that I wonder if preparing Fusion Drives for File Vault might need extra steps. We just done done with an institutional-wide roll-out of FV2 on laptops. We didn't run into Fusion Drives, naturally, but that's my initial suspicion.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded