jamf connect and filevault

warbkhelo
New Contributor

We just rolled out jamf connect to a test environment and we're noticing a few things.

If you restart you don't get the jamf connect login window. It wants a user to login with their password. What is the workaround for this? Is there a way to force user log out after a restart or power outage?

Also our file vault settings are set to personal (individual), but jamf is not recording the key. It says no key present. Any ideas?

I saw a post on jamf Nation saying the only option is to disable file vault on computers running jamf connect. Is this true?

3 REPLIES 3

jpmjr
New Contributor

The first PW is to unlock filevault there's no way around this unfortunately so as we discovered 2 logins but the PW's will synch.


You can reissue the PRK with a script I think this is the one we use https://github.com/jamf/FileVault2_Scripts/blob/master/reissueKey.sh

It will ask for the users password so we put it in the selfservice and then set a smart group to track invalid PRK and assign them the script to run.  It works great.

stevewood
Honored Contributor II
Honored Contributor II

It sounds like you do not have FileVault pass through authentication disabled. In the normal authentication flow on a device encrypted by FileVault, the user is presented with the FileVault login window to unlock the drive and then FileVault passes that authentication to macOS to login to the operating system. On a system with Jamf Connect, if this is not disabled they will never see the Jamf Connect login window unless they logout of the system. You can disable passthrough authentication by sending a configuration profile with:

Domain: com.apple.loginwindow

Key: DisableFDEAutoLogin

Value: True

 

As far as the PRK being escrowed, you have to have a configuration profile in place to escrow the key before FileVault is enabled. If you do not, then you will have to change the recovery key on the machines after the profile is in place. The profile only needs hte "Escrow Personal Recovery Key" keys in the Security and Privacy payload. The "Certificate" payload is auto configured when you save the profile.

CleanShot 2022-09-12 at 09.12.07.png

Once you have that in place you can use a script like this reissueKey.sh script to prompt users to change the Personal Recovery Key.

stevewood
Honored Contributor II
Honored Contributor II

The Jamf Connect admin guide contains more info on the disable profile for FDE login:

https://docs.jamf.com/jamf-connect/2.3.0/administrator-guide/FileVault_Enablement_with_Jamf_Connect....