Persistant FileVault 2 Re-Encryption Prompts

Are you by chance using a Configuration Profile which includes the "Security & Privacy" payload and has the "Require FileVault 2" setting checked? I've never used this payload setting before so I can't say that it would produce the problem that you are seeing, but I feel that it's a question worth asking.

@dwandro92 Good question for sure. I just checked the dozen or so Configuration Profiles and no such payload.

Anyway, after removing the JAMF framework from the test Mac and deleting the machine from the JSS I still get the forced encryption.

Thank you!

It sounds as if it is part of your configuration profiles. I would go through your profiles to see if one of the profiles has an option related to file vault. That could be what is causing your issues.

@CypherCookie Just quintuple-checked my Configuration Profiles and no such profile lurking around with Security & Privacy/FileVault configured.

This is reminding me of the episode of the movie Creepshow called Broken Meteor.

that is really strange. Have you done a check to see what profiles are installed and to see if there are any lurking in the background?

"profiles -C"

that will list all your profiles for you.

For more info do a "man profiles" as it could be a specific user level preference which is causing your issues as well.

PS cool video! :D

Check your profiles again to see if there are any with the Mobility payload configured. There is an option in this payload which configures encryption for cached accounts, which may explain why it's not occuring when you login using your management account.

If that doesn't work, you may want to check for profiles with custom payloads which contain the "DontAllowFDEDisable" key.

Since you mentioned using an Institutional key, check the /Library/Keychains/ folder and see if the FileVaultMaster.keychain file is there. if you can get the drive to stay un-encrypted long enough, remove that file and see if it keeps trying to re-encrypt.

I'd suggest trying it on one of your test Macs in case removing the file causes problems.

Thanks all for the efforts. However I'm still stumped!

On the test Mac that's still enrolled, profiles -C and profiles -P reveal only the single Casper MDM profile.

On the test Mac which I removed the framework from, profiles -C and profiles -P says there are no profiles installed. On this same Mac I also tried @AVmcclint's suggestion of removing the FileVaultMaster.keychain item, and I still got the forced reboot. It seems the individual key is in use anyway because of the way System Preferences/Security & Privacy/FileVault is worded.

I've also hunted through the few profiles I have configured and none have anything at all security related. They're just VPN & Energy Saver etc.

This is crazy!

Probably going to contact my JAMF rep in a few days about this unless something turns up here.

Wow. That is a headscratcher! Since you've removed the JAMF framework and the MDM ... At this point, I'd start looking for LaunchAgents/Daemons that are looking to keep it going even after you've disabled it - as far fetched as that may be. Another possibility could be the EFI partition or Recovery partition? When you created the image, was the master drive already encrypted at the time? Have you zapped the PRAM? Rebuilt the Desktop? Sacrificed live goats? :) I know FileVault doesn't log anything but maybe there's something else triggering it that is writing a log?

OK i have no idea why it took me so long, but under policy's there is an option for file vault disk encryption to be enforced! Have a look through your policy's and see if you have anything there, that i would wager would be where the issue is coming from! :)

@CypherCookie Thank you for the feedback. I'm not seeing any such setting available for FileVault policies, but I do see there is such a setting with Configuration Profiles. However I never used Configuration Profiles to deploy FileVault (I scarcely use Configuration Profiles at all), and "profiles -C" reveals only the Casper MDM profile on my own Mac. I also deleted the policy a few days ago. :-)

I'll take this up with my TAM in a couple of weeks. I'm getting married this weekend and I'm going to be off the grid for a few days. :-)

Speaking from a distant galaxy, using old school techniques, may I suggest:

1. copy and paste each and every item that has been tried or suggested in this thread to a PAGES document with optional screenshots. 1a. number each section, so that we know 1b. screenshots 1c. link (URL or file pathname)
2. double check each item one more time, if thats technically possible

---------- okay, now suppose the error is unsolved -----

1. at this point, we can be thinking you've been scientifically thorough as you know how
2. and its safe to order out for pizza for some really deep pizza consultation with your JAMF Nation and JAMF rep.

I did reach out to my JAMF TAM and he suggested working with fdesetup disable, which eventually worked.

it seems "fdesetup disable" did work, but not as one might expect: On one of the test Macs I issued the "fdesetup disable" command and it would not take the password I had recorded, nor any other password I may have used. I tried multiple times. I then tried to enable the Institutional key with "fdesetup enable -keychain" but I received a message saying that FileVault was busy. I didn't at first realize that FileVault disabled anyway. I finally moved my eyeballs over to the FileVault pane in System Preferences and saw that it was now off.

I gave the Mac a reboot and sure enough no more encryption prompt.

More testing will have to wait until I return from honeymoon.

OK I thought the Ghost of Christmas Past just paid me a visit:

On a differnet test Mac from the one above, where I had also been testing FileVault and had disabled FileVault, I started to get the prompt to re-enable encryption. I would only get the prompt when I was trying to log in to the user account I was using when testing the FileVault policies. This started a few days ago and I just ignored it until now.

However by chance the update to 10.11.4 applied and after the reboot no more prompt to enable FileVault when I log in to that account.

I still had the other test system that I had also been using when I started this thread and was able to recreate the same set of events. I had removed it from the JSS however.
1. Disable FileVault, reboot and log into the user account I was using for testing and I would get the prompt.
2. Log in to a different user account and no prompt.
3. Test with 2-3 more reboots and confirm the behavior.
4. Apply the 10.11.4 update and viola, no more prompt.

There's mention of tinkering with FileVault on this page about the 10.11.4 update, but nothing specific to this issue:

I have experienced this before, here is my process for resolving (use at your own risk):

• Remove computer from JSS
• Remove Jamf Framework from computer /usr/local/bin/jamf removeFramework
• Turn off FileVault2 on computer, reboot when prompted
• Boot to single user mode then remove /Library/Keychains/FileVaultMaster.keychain
• While still in single user mode clear caches rm -Rf /Library/Caches/ and rm -Rf /System/Library/Caches/
• Shutdown
• Power on and clear PRAM -- cmd+option+p+r

So I had the same issue you did after removing from JAMF and manually turning off the file vault. For every boot after, please enable the file vault.  This is all on a Monterey System.

I ssh'd into the system and checked "fdesetup disable, " which said the file vault was disabled.

I took a beat from @jgalante and in the 4th line while logged in remotely I deleted the FileVaultMaster.keychain.  And that solved it for me.  Thank you both!

• Remove the file with, rm -rf /Library/Keychains/FileVaultMaster.keychain