+16I just found this...
"In order to prevent attackers enabling FileVault with a secret key via fdesetup, a possible avenue for a ransomware attack, Apple have introduced a new prompt that requires user approval before FileVault can be used to encrypt the drive programmatically."
From...
https://www.sentinelone.com/blog/7-big-security-surprises-coming-to-macos-10-15-catalina/
And in my testing I am see the prompt twice.. once when fdesetup is set to defer and once when the user enables.
C
+36I haven't reviewed these new security features in Catalina, but the prompt in the screenshot looks very much like PPPC. If that's the case, Jamf Pro will likely include those new security settings in its PPPC Configuration Profile payload for the release or Catalina.
There's not a lot you can do these days that doesn't involve a user having to say yes. They might as well just remove MDM/enterprise features and just let people do what they want.
There's not a lot you can do these days that doesn't involve a user having to say yes. They might as well just remove MDM/enterprise features and just let people do what they want.
+20Hmm i read here and there that profile based enablement of FV not will be affected, but the FDESETUP through CLI will not accept blank password/username anymore, or in some way like that.
@txhaflaire I thought that was the case already with Mojave anyway. It's certainly what I've seen if you want to apply a securetoken to a new or existing user via the cmd (if you don't know the user's password).
+25@allanp81 I'm taking the optimistic view like @talkingmoose and expect we'll have a way to approve it via Configuration Profile. If not, there are ways to "encourage" your users to approve the things required to make a Mac meet your compliance requirements with scaling levels of subtlety.
+16In my testing and in what I have read. Using a profile still use fdesetup and there is no workaround. I think our security team and onsite teams would laugh me out of the room if I suggested that deploying machines unencrypted and then "encouraging" users to encrypt later. In fact, we auto wipe our machines if the FV key isn't reported back to Jamf after enrollment.
C
+13Maybe you still have an FV deferral active on your testbox that was created by fdesetup before you applied the profile?
Try
sudo fdesetup disableand re-apply the profile?
+13I pulled the policy that was setting the FV on and I'm only relying on the Config Profile. The problem I have now is, at logout, it requires the user to put in their password before FV is enabled. The user can hit cancel and FV will be off.
So I finally typed my password and now the screen just is blank, which I'm assuming is the FV encrypting the drive. Users will not find this beneffical and force a hard boot.
+18@gachowski - I'm in the beta as well...just getting rolling. Are you just using the simple built-in for FV testing here?
+16Yep, I test both the profile and the built-in policy and both worked that said I have been out since the after it was released so I don't have the best memory ... working on a different issue today but hopefully, I can get back to test FV tomorrow.
C
+8Unfortunately for me, working with non-IT managers, they still want us sitting with the users while going through the DEP process. Kinda defeats the purpose of DEP but clicking through login prompts is easy.
+31tested a clean install of beta 5 today in a VM. Did not prompt for FV2 and it applied like it should for me
+6@tlarkin , I have a script that I use to fix the Secure Tokens for our IT-Admin type account and it ATTEMPTS to activate FV, but it never succeeded in being zero touch in Catalina OR Mojave--the user would get caught by our configuration profile fall-back where they have to input their password on the first restart.
This, although annoying, worked okay for Mojave, but while the profile fires on Catalina for me, and I put in my password, the drive doesn't actually encrypt, so now none of my methods are working.
Would you mind sharing the script/method you're using to enable FV2 for Catalina (and earlier) via Profile? I would greatly appreciate it!
+31I am just using the config profile to force FV2 to be enabled and enforced at next boot. That is it. Then in my DEP Notify workflow the last thing I do is apply all OS and security patches and force a reboot. User reboots, logs in and is prompted to enable FV2. That is all I am doing.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.