Macs with T2 chip reporting as "FileVault Enabled" out of box.

For what it's worth, I've created this Extension Attribute to determine if an iBridge is present. From there, a Smart Group could be created, against which a more aggressive FileVault policy could be scoped:

#!/bin/bash

IBRIDGE="$(/usr/sbin/system_profiler SPiBridgeDataType | /usr/bin/grep 'Model Name')"

if [[ "${IBRIDGE}" == "" ]] ; 
then
    /bin/echo "<result>None</result>"
else
    /bin/echo "<result>${IBRIDGE}</result>"
fi

exit 0

Script will return "None" for Macs with no iBridge, "Model Name: Apple T1 chip" for Macs with a T1 chip (such as the 2016/2017 MacBook Pro with TouchID), or "Model Name: Apple T2 chip" for Macs with a T2 chip (such as the 2018 MacBook Pro). EDIT: see @brunerd's post below, return values may be different depending on language localization and OS version.

(edit: removed duplicate post)

We're also adapting to this change.

Thanks for the EA! It's a good start, but ideally Jamf will use a different mechanism when detecting "FileVault 2 Partition Encryption State", given that this title is no longer accurate for T2 Macs.

I think they are aware of the issue, my Jamf rep asked for more details in reference to PI-006109.

I was able to find @rtrouton 's Extension Attribute that detects APFS Encryption Status. This appears to be a decent value to base our policies on for T2 equipped Macs.

An observation about the SPiBridgeDataType in system profiler: it will localize the word "chip"
So don't get too specific in your Smart Group criteria, like "T2" will suffice.

Also sorta interesting is that 2016 MacBook Pros with Touch ID will report "iBridge" in 10.12 but "Apple T1 chip" in 10.13... I guess they realized they needed snappier branding that ditched the "i" going forward.

As for the EA, it works well enough for now for me, to say if they have a "T2" yet the Filevault Key Validation is "Unknown" then they are not encrypted. I really didn't want to add another EA for encryption status, I'm hoping it can just be a part of JSS 10.6.1 🙏

Thanks @brunerd, good to know about localization and the different values returned by Sierra vs. High Sierra. I agree that having the Smart Group to do a "like" match for just the "T2" substring makes sense. Using "Filevault Key Validation" is a neat trick, for my environment we already had another EA that returns the value of fdesetup status so I just looked for a match of "FileVault is Off" to get my list of unencrypted devices.

@brunerd you're just checking that they don't have a filevault key (personal or institutional) AND have a T2 (iBridge)? Right?

I had a whole post about how I'd gotten a new T2 laptop to test with, then it turns out the tech who gave it to me, gave me a "Brand New" MacbookPro 2017 (fresh outta the cellophane from CDW) and I wasn't seeing that it was showing as encrypted out of the box... but then yeah it was a macbookpro14,2 not a macbookpro15,2 or 1 – DOH!

@cwaldrip Right - I have a Smart Group matching if they have a T2 and their Encryption Key (we only use Personal) is Unknown