Skip to main content
Solved

Random FileVault enablement failures

  • January 29, 2025
  • 5 replies
  • 42 views
Jason33
Forum|alt.badge.img+13

I've got a profile added to my prestage to enable FileVault during enrollment, and for random systems, it seems to be failing to turn on FileVault. The profile is installed on the system, but the key is Unknown and FileVault 2 status is Not Enabled. These machines have all been on macOS 14.x (few with 14.1, few with 14.3). The weirdest one of all though, is a system with 13.7.3 enrolled, got the profile deployed, and FileVault enabled and key escrowed to Jamf. I doublechecked and confirmed the documentation states this is for macOS 14.0 or later. Anyone else seeing anything similar? My environment is running 11.12.1.

I could rip out that profile from one system and then deploy the previous profile that I was using to enable at first login (I confirmed that both profiles are not on the systems affected).

Also of note - users are FileVault2 Enabled, and have SecureToken issued. I also checked the PI's and didnt see anything that sounded similar to this.

Best answer by sdagley

@Jason33 Setting the minimum macOS version for enrollment in your PreStage might be worth investigating although you need to be starting with 14.6 on a machine for it to work reliably. For Macs that don't process the minimum OS version for enrollment option I use Smart Groups to scope what enrollment policy runs so one running something lower than our minimum macOS ends up running erase-install to re-image with the minimum.

@AJPinto macOS Sonoma 14.0 introduced FV enablement during Setup Assistant enrollment (to clarify @Jason33 's comment about it being added in 14.4 that was when it started working for standard users). Having an all devices scoped Configuration Profile also included in the PreStage Profiles list is just a belt and suspenders approach to ensuring FV will be enabled on initial user login.

    5 replies

    AJPinto
    Forum|alt.badge.img+26
    • AJPinto
    • Legendary Contributor
    • January 29, 2025

    You dont want to enable FV in the prestage. The best pratice is to target your FV configuration to all devices, and set your exclusions. The Config Profiles to enable FV will be on the device before the user can log in. Generally speaking deliveringConfig Profiles via pretage is only for very specific use cases.

     

    If I remeber correctly macOS 15 added some functions to enable FV at enrollment, but I have not played with that yet.

    Jason33
    Forum|alt.badge.img+13
    • Jason33
    • Author
    • Honored Contributor
    • January 29, 2025

    Got reminded that the enable with a prestage config profile was for macOS 14.4 and later - these systems got sent out from our Service Desk with 14.1 and 14.3. I'll probably change it back to my original profile because them guys cant be trusted to do the simple things. Up until now I hadnt run into this issue because they had been sending machines out with 14.7. 

    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • Answer
    • January 30, 2025

    @Jason33 Setting the minimum macOS version for enrollment in your PreStage might be worth investigating although you need to be starting with 14.6 on a machine for it to work reliably. For Macs that don't process the minimum OS version for enrollment option I use Smart Groups to scope what enrollment policy runs so one running something lower than our minimum macOS ends up running erase-install to re-image with the minimum.

    @AJPinto macOS Sonoma 14.0 introduced FV enablement during Setup Assistant enrollment (to clarify @Jason33 's comment about it being added in 14.4 that was when it started working for standard users). Having an all devices scoped Configuration Profile also included in the PreStage Profiles list is just a belt and suspenders approach to ensuring FV will be enabled on initial user login.

    Jason33
    Jason33
    Forum|alt.badge.img+13
    • Jason33
    • Author
    • Honored Contributor
    • January 30, 2025

    @Jason33 Setting the minimum macOS version for enrollment in your PreStage might be worth investigating although you need to be starting with 14.6 on a machine for it to work reliably. For Macs that don't process the minimum OS version for enrollment option I use Smart Groups to scope what enrollment policy runs so one running something lower than our minimum macOS ends up running erase-install to re-image with the minimum.

    @AJPinto macOS Sonoma 14.0 introduced FV enablement during Setup Assistant enrollment (to clarify @Jason33 's comment about it being added in 14.4 that was when it started working for standard users). Having an all devices scoped Configuration Profile also included in the PreStage Profiles list is just a belt and suspenders approach to ensuring FV will be enabled on initial user login.


    @sdagley Yep, I do have the minimum OS version set, but wouldnt have applied for these systems to upgrade. Thats a good idea about using eraseinstall as a counter measure for that though, and something I never thought of. So if you've got a 13.x or 14.x system enrolled, and your minimum is now 14.7.3, or even 15.x, would your EI policy run an erase on the system, or upgrade? I'd have to play around with it, but I do have an EA to check for finished enrollment, and once the system rebooted from an upgrade and checked in, the full set of enrollment policies should kick off.

    Thanks for giving me something to tinker around with!!

    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • January 30, 2025

    @sdagley Yep, I do have the minimum OS version set, but wouldnt have applied for these systems to upgrade. Thats a good idea about using eraseinstall as a counter measure for that though, and something I never thought of. So if you've got a 13.x or 14.x system enrolled, and your minimum is now 14.7.3, or even 15.x, would your EI policy run an erase on the system, or upgrade? I'd have to play around with it, but I do have an EA to check for finished enrollment, and once the system rebooted from an upgrade and checked in, the full set of enrollment policies should kick off.

    Thanks for giving me something to tinker around with!!


    @Jason33 The enrollment policy triggered by Macs running less than the required macOS version does trigger an erase. Or tries to since on Apple Silicon Macs the user is prompted for credentials and they tend to not enter them.

    Terms & ConditionsCookie settingsAccessibility statement