Looking for some guidance with Jamf Pro - PreStage Enrollment and FileVault.
The issue:
-
In PreStage, we pre-create and hide a local admin account.
-
During setup, the workflow prompts for end-user account creation.
-
FileVault is enabled immediately after the user account is created and the user logs in for the first time.
-
As a result, only the end user is added to FileVault , the local admin account is left out of the FileVault enabled users list.
I haven’t found a way to ensure the local admin is automatically included in FV2 during enrollment.
Should this be configured differently in PreStage, or would scripting the local admin addition after FileVault is enabled be the right approach?
Can I ask the reason why this is needed? Are you escrowing the FV key into jamf? If so, then that’s all you need. A break-glass account should have steps to be used (e.g.: unlocking the drive via key so it can boot).
Yeah, it’s more of an extra layer of security. We do have the PRKs escrowed in Jamf, but if one record gets deleted by mistake, that key is gone. I’ll take your reply as the solution, but I’m still not 100% sure we want to rely solely on the recovery keys.
and Yes it works fine if we login to the local admin at least once. I guess the goal was to rely on the hidden local admin account created by PreStage and ship to the user directly without ever logging in as the admin.
Yeah, it’s more of an extra layer of security. We do have the PRKs escrowed in Jamf, but if one record gets deleted by mistake, that key is gone. I’ll take your reply as the solution, but I’m still not 100% sure we want to rely solely on the recovery keys.
I mean that’s what we did. We also scraped the data being sent back to jamf and extracted the FV key and set our “local admin” account to use the FV key as the password. This was the LAPS solution we had before jamf had theirs.
