In a not entirely unexpected event, the Jamf policy to add the management account to FileVault no longer works on APFS volumes. Executing the policy shows the following in the terminal with verbose output:
Error: Added users failed error. Error adding user to FileVault: Added users failed error.
It's odd this ever worked on APFS in the first place. The management account would previously be added and show on the preboot screen, but when you checked the token status with "sysadminctl -secureTokenStatus $jamfmanagement" it would show as not authorized.
Looks like the loophole has been closed.
That would certainly do it. In our environment we would only enable the management account on demand to manipulate FileVault without user intervention. But thanks to secure token that is effectively a dead procedure for APFS volumes.
The account can be added from another account that already has a secure token assigned. I have a thread here that covers the process through a scripted event that prompts for credentials. Unfortunately this can't be automated unless you have a known account with a known password consistent across your environment.
That would be something like this:
#!/bin/sh sysadminctl -adminUser techuser -adminPassword techpassword -secureTokenOn manuser -password manuserpassword
You have to use the credentials of a user which already has a secureToken (this is going to be the 501 user on new High Sierra installs) to grant additional users secureTokens. After you grant additional users secureTokens, those additional users should be able in turn to grant secure tokens to other users.