Skip to main content

We have a bunch of old non DEP Mac's that when we install HS 10.13.1, we are unable to kick off FileVault through any policy. It tell us it's going to do it but never does. The policy completes successfully and in the history we get: FileVault is Off.
Deferred enablement appears to be active for user 'someuser'.
<<<<Begin Policy>>>>
Disk Encryption
Action
Action to take on computers
<Apply Disk Encryption Configuration>

Disk Encryption Configuration
Disk encryption configuration to use to enable FileVault 2
<FileVault>

Require FileVault 2
Require users to enable FileVault 2 based on one of the following events
<At next login>

Thanks

@rcorbin I'm just getting around to testing FV and so far it's working for me with 10.13.4.

Our prestage adds admin account but skips all screens possible. We enable FV via a policy scoped to all computers that need FV that aren't already enabled. It's set to run at startup and checkin/ongoing. Policy is setting a disk encryption payload that requires FV2 at next login. Techs are prompted that FV must be enabled.

I confirmed our admin user that is created via prestage has a secure token via the sysadminctl command above. I tested logging in with an AD user, and I got the 10.13.4 securetoken prompt "Enter a securetoken administrator's name and password to allow this mobile account to login at startup time." Tech enters our admin account credentials and then that account can login at startup. I confirmed this AD user has a securetoken & there's a FV recovery key in JSS. If technician clicks bypass at that prompt, no securetoken is given and that user cannot login at startup, but they can be enabled via the system prefs - security - FV screen.

Filevault does take such a long time to enable on APFS though, what a mess.

Terms & ConditionsCookie settingsAccessibility statement