You dont want to enable FV in the prestage. The best pratice is to target your FV configuration to all devices, and set your exclusions. The Config Profiles to enable FV will be on the device before the user can log in. Generally speaking deliveringConfig Profiles via pretage is only for very specific use cases.
If I remeber correctly macOS 15 added some functions to enable FV at enrollment, but I have not played with that yet.
Got reminded that the enable with a prestage config profile was for macOS 14.4 and later - these systems got sent out from our Service Desk with 14.1 and 14.3. I'll probably change it back to my original profile because them guys cant be trusted to do the simple things. Up until now I hadnt run into this issue because they had been sending machines out with 14.7.
@Jason33 Setting the minimum macOS version for enrollment in your PreStage might be worth investigating although you need to be starting with 14.6 on a machine for it to work reliably. For Macs that don't process the minimum OS version for enrollment option I use Smart Groups to scope what enrollment policy runs so one running something lower than our minimum macOS ends up running erase-install to re-image with the minimum.
@AJPinto macOS Sonoma 14.0 introduced FV enablement during Setup Assistant enrollment (to clarify @Jason33 's comment about it being added in 14.4 that was when it started working for standard users). Having an all devices scoped Configuration Profile also included in the PreStage Profiles list is just a belt and suspenders approach to ensuring FV will be enabled on initial user login.
@Jason33 Setting the minimum macOS version for enrollment in your PreStage might be worth investigating although you need to be starting with 14.6 on a machine for it to work reliably. For Macs that don't process the minimum OS version for enrollment option I use Smart Groups to scope what enrollment policy runs so one running something lower than our minimum macOS ends up running erase-install to re-image with the minimum.
@AJPinto macOS Sonoma 14.0 introduced FV enablement during Setup Assistant enrollment (to clarify @Jason33 's comment about it being added in 14.4 that was when it started working for standard users). Having an all devices scoped Configuration Profile also included in the PreStage Profiles list is just a belt and suspenders approach to ensuring FV will be enabled on initial user login.
@sdagley Yep, I do have the minimum OS version set, but wouldnt have applied for these systems to upgrade. Thats a good idea about using eraseinstall as a counter measure for that though, and something I never thought of. So if you've got a 13.x or 14.x system enrolled, and your minimum is now 14.7.3, or even 15.x, would your EI policy run an erase on the system, or upgrade? I'd have to play around with it, but I do have an EA to check for finished enrollment, and once the system rebooted from an upgrade and checked in, the full set of enrollment policies should kick off.
Thanks for giving me something to tinker around with!!
@sdagley Yep, I do have the minimum OS version set, but wouldnt have applied for these systems to upgrade. Thats a good idea about using eraseinstall as a counter measure for that though, and something I never thought of. So if you've got a 13.x or 14.x system enrolled, and your minimum is now 14.7.3, or even 15.x, would your EI policy run an erase on the system, or upgrade? I'd have to play around with it, but I do have an EA to check for finished enrollment, and once the system rebooted from an upgrade and checked in, the full set of enrollment policies should kick off.
Thanks for giving me something to tinker around with!!
@Jason33 The enrollment policy triggered by Macs running less than the required macOS version does trigger an erase. Or tries to since on Apple Silicon Macs the user is prompted for credentials and they tend to not enter them.
