Skip to main content

Hello,



I need your help because Filevault will drive me crazy.



We have about 1300 Macs (10.11.x to 10.14.x)



We have only AD accounts (without admin permissions) and the only local admin account is the one that is using for Jamf management



FileVault is not enabled and the only Secure Token account existing on MacOS 10.13.4+ is le Jamf management account.



I need to be able to enable FileVault and make it as silently as possible to the end user.



I read dozens of documentations including :



FileVault-on-macOS-10.14-or-Later



FileVault-on-macOS-10.11-10.12



But I can not do anything ...
Errors, FileVault not enabled, ...



Please, can you point me to the best way to proceed.



Thank you for your help

Check out some of the updates regarding secureToken and Filevault in this article: https://travellingtechguy.eu/mojave-10-14-2-and-secure-tokens-it-works/

Hello,
Thank you for your reply,



Indeed, I already read this article (very interesting).
Today I have positions of which the only Secure Token account existing on MacOS 10.13.4+ is le Jamf management account.



The rest are AD accounts, so do not have a Secure Token.
As I understand it, Enable Filevault for the Account Management does not work or is not recommended.



Therefore, how can I do without having to physically switch to all computers to create another local account ?



It seems very complicated to me ...



Thanks

Does th emanagement account have a secure token??
if you run: sysadminctl -secureTokenStatus username_goes_here



And it indeed does have a secure token, I can help you with a script that will enable filevault without administrartor intervention?

Hello @kerouak ak



Thank you for taking the time to respond.
Yes, I confirm that my Jamf management account is Secure Token (I had created an extension attribute to put Secure Token accounts on 10.13.4+ computers).



I am interested in your solution if it does not take you too much time to share your script.



Thank you,

drop me an email and I'll send you details
r.mcandrew@arts.ac.uk

Thanks for your help and thanks @kerouak, your script works very well.



Now I just have to validate with my hierarchy the fact of temporarily having the admin account password in clear in order to set up this workflow.
But if there are no other solutions, I think we will have no choice.



Thanks

@glpi-ios can you post the script ? You do not have to do password in clear text - you can use encrypted strings - https://github.com/jamf/Encrypted-Script-Parameters

@bwiessner it's not in the script, it's in the JSS

@bwiessner The script belongs to @kerouak , I prefer that it is him who makes public the script if it considers necessary.



In fact, the script generates a .plist file in /private/tmp for a few seconds which contains in clear the admin login and password

Terms & ConditionsCookie settings