Skip to main content
Question

FileVault Problems with Big Sur, jams pro and jams connect

  • September 1, 2021
  • 8 replies
  • 65 views
BookMac
Forum|alt.badge.img+9

Hey guys,

 

we are using jamf pro with jamf connect(we have Azure AD) and all our clients have big sur installed. We are deploying a hiden admin with prestage enrollment. Our users are local users without admin rights. We have configured a configuration profile to activate our macs with filevault. At first we have used the configuration profile with the logout option. But a few macs have problems to activate filevault. I changed to logon. But there are problems too. At first we also have clients were filevault is not activated. And on the other hand filevault is activated but in jamf are no keys visible and there are not the same entries under filevault. In my opinion it looks random if it works or not. When filevault is not activated we reinstall the mac.

Since this week I figured out that if I add a new configuration profile for filevault, jamf is adding a certificate payload in this profile. On my first configuration profile was nothing like that.

May someone help me or give me a hint. We are using jamf pro since may and I don’t have much experience with jamf. I read some articles here and found threads with secure token and bootstrap token but my experience is also zero there. 😞

Where can I find some useful logs or a best practice to use filevault?

 

Cheers from germany

    8 replies

    S
    Forum|alt.badge.img
    • Smithamborough
    • New Contributor
    • September 2, 2021

    Additional login prompts for users—When FileVault is enabled on a computer with macOS 10.15 or earlier, a login screen is displayed before macOS launches via an extensible firmware interface (EFI). This login screen is built-in at the EFI level or a special boot loader in computers with the T2 chip. liteblue The user must enter their FileVault password to unlock the boot drive and launch macOS. Once unlocked, FileVault passes the user's password to the macOS loginwindow application and automatically logs in the user and loads the Finder. 

    A
    • Anonymous
    • September 3, 2021

    Hi @BookMac

    on my experience, it is not possible to auto-enable other users to FileVault. We had the same situation and created a visible and a hidden local administrator on our Macs but it was not possible to give them permission to FileVault with a policy or other methods. There is an interesting article at this community, telling about a shell script, that seems to solve this issue, but I was not successfull on my tests. (see here: https://www.jamf.com/jamf-nation/discussions/28939/securetoken-for-admin-accounts)
    Regards from Germany, too 😉

    beeboo
    Forum|alt.badge.img+7
    • beeboo
    • Contributor
    • September 8, 2021

    i just got some light confirmation from my TAM/support and we are running into something similar, though not the same

    difference is that our users are admins

     

    While the hidden account gets the secure token, the user created during setupassistant does not hence i have to deploy a script to run in self service that uses applescript and jamfhelper to ask the user to enter their creds.

    Thats the only way i have been getting my users to get FV2 enabled properly.

    Almost assuredly all my new enrollments, even going back a few months, have failed FV2 enablement, and the user has FV2 stuck in deferment

     

    "It looks like we may be running in to an open product issue here - PI-007582. An Apple bug, FB7361976, has also been created in conjunction with this."

    - Jamf support

    BookMac
    Forum|alt.badge.img+9
    • BookMac
    • Author
    • Jamf Heroes
    • September 8, 2021

    i just got some light confirmation from my TAM/support and we are running into something similar, though not the same

    difference is that our users are admins

     

    While the hidden account gets the secure token, the user created during setupassistant does not hence i have to deploy a script to run in self service that uses applescript and jamfhelper to ask the user to enter their creds.

    Thats the only way i have been getting my users to get FV2 enabled properly.

    Almost assuredly all my new enrollments, even going back a few months, have failed FV2 enablement, and the user has FV2 stuck in deferment

     

    "It looks like we may be running in to an open product issue here - PI-007582. An Apple bug, FB7361976, has also been created in conjunction with this."

    - Jamf support


    May you show me your script pls? So if FV2 is not enabled the user has to run the Script in Self Service, the user enters the credentials and then FV2 is enabled or is a reboot necessary?

     

    Cherrs

    beeboo
    Forum|alt.badge.img+7
    • beeboo
    • Contributor
    • September 8, 2021

    May you show me your script pls? So if FV2 is not enabled the user has to run the Script in Self Service, the user enters the credentials and then FV2 is enabled or is a reboot necessary?

     

    Cherrs


    CurrentUser=$(stat -f%Su /dev/console) UIDCurrentUser=$(id -u "$CurrentUser") adminPASS="{enter info here}" jamfHELPERHEADER="{enter info here}" jamfHELPERicon="{enter info here}" jamfHELPERbody2="{enter info here}" popup=`/Library/Application\\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -description "$jamfHELPERbody" -heading "$jamfHELPERHEADER" -icon "$jamfHELPERicon" -button1 "Continue" -defaultButton 1` if [[ "$popup" == "0" ]]; then] #Ask User Password userPassword=$(/bin/launchctl asuser "$UIDCurrentUser" sudo -iu "$CurrentUser" /usr/bin/osascript -e 'Tell application "System Events" to display dialog "Password for user: '${CurrentUser}'" default answer "" with title "{enter info here}" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result') #Enable SecureToken for the CurrentUser and adminUser sysadminctl -adminUser {admin username} -adminPassword $adminPASS -secureTokenOn $CurrentUser -password $userPassword #Notification /Library/Application\\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -description "$jamfHELPERbody2" -button1 "Ok" -icon "$jamfHELPERicon" fi exit 0

     

    Script is in self service in case users feel funky about the pw prompt, so it feels more legit

    user gets prompted for their password using osascript, and osascript will show the current users username so its more personal instead of just asking for a password.

    you may need to add a PPPC profile for osascript/jamfhlper/terminal but thats about it, otherwise they will get a prompt to allow that in Security & Privacy, but thats like a 2 second process at most.

     

    A reboot is ideal with a validation using terminal commands to ensure securetoken is passed off and fdesetup status is ENABLED

    BookMac
    Forum|alt.badge.img+9
    • BookMac
    • Author
    • Jamf Heroes
    • September 21, 2021
    CurrentUser=$(stat -f%Su /dev/console) UIDCurrentUser=$(id -u "$CurrentUser") adminPASS="{enter info here}" jamfHELPERHEADER="{enter info here}" jamfHELPERicon="{enter info here}" jamfHELPERbody2="{enter info here}" popup=`/Library/Application\\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -description "$jamfHELPERbody" -heading "$jamfHELPERHEADER" -icon "$jamfHELPERicon" -button1 "Continue" -defaultButton 1` if [[ "$popup" == "0" ]]; then] #Ask User Password userPassword=$(/bin/launchctl asuser "$UIDCurrentUser" sudo -iu "$CurrentUser" /usr/bin/osascript -e 'Tell application "System Events" to display dialog "Password for user: '${CurrentUser}'" default answer "" with title "{enter info here}" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result') #Enable SecureToken for the CurrentUser and adminUser sysadminctl -adminUser {admin username} -adminPassword $adminPASS -secureTokenOn $CurrentUser -password $userPassword #Notification /Library/Application\\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -description "$jamfHELPERbody2" -button1 "Ok" -icon "$jamfHELPERicon" fi exit 0

     

    Script is in self service in case users feel funky about the pw prompt, so it feels more legit

    user gets prompted for their password using osascript, and osascript will show the current users username so its more personal instead of just asking for a password.

    you may need to add a PPPC profile for osascript/jamfhlper/terminal but thats about it, otherwise they will get a prompt to allow that in Security & Privacy, but thats like a 2 second process at most.

     

    A reboot is ideal with a validation using terminal commands to ensure securetoken is passed off and fdesetup status is ENABLED


    Hi,

    i've tried the script. I've got an error in line 19. And deleted 

    if [[ "$popup" == "0" ]]; then]

    and

    fi

     The Script is running now and i got the popup in self service but in the policy logs i get this:

    Details

     
    [STEP 1 of 5]
    Executing Policy FileVault: Secure Token for Current User
    [STEP 2 of 5]
    Running script FileVault: Secure Token for Current User...
    Script exit code: 0
    Script result: 2021-09-21 10:41:52.676 sysadminctl[732:9014] Operation is not permitted without secure token unlock.
    0
    [STEP 3 of 5]
    [STEP 4 of 5]
    Inventory will be updated when all queued actions in Self Service are complete.
    [STEP 5 of 5]
    beeboo
    Forum|alt.badge.img+7
    • beeboo
    • Contributor
    • September 21, 2021

    Hi,

    i've tried the script. I've got an error in line 19. And deleted 

    if [[ "$popup" == "0" ]]; then]

    and

    fi

     The Script is running now and i got the popup in self service but in the policy logs i get this:

    Details

     
    [STEP 1 of 5]
    Executing Policy FileVault: Secure Token for Current User
    [STEP 2 of 5]
    Running script FileVault: Secure Token for Current User...
    Script exit code: 0
    Script result: 2021-09-21 10:41:52.676 sysadminctl[732:9014] Operation is not permitted without secure token unlock.
    0
    [STEP 3 of 5]
    [STEP 4 of 5]
    Inventory will be updated when all queued actions in Self Service are complete.
    [STEP 5 of 5]

    there's a typo there, 

    then]

    should just be "then"

     

     

    for the admin credentials are you putting in the right credentials and ensuring that the user has a secure token to pass off. 

    BookMac
    Forum|alt.badge.img+9
    • BookMac
    • Author
    • Jamf Heroes
    • September 27, 2021

    thx for the hint with the typo.

    yes the admin user is fv2 user and has a secure token. if i change the line to

    "sysadminctl interactive -secureTokenOn $CurrentUser -password $userPassword"

    a popup appears where i enter the name and the password of the admin and this works but is not silent. 

    Terms & ConditionsCookie settingsAccessibility statement