Help

Adding management account AND the next user to Filevault 2

Go to solution
matthew-c
New Contributor III

Posted on ‎08-15-2012 08:40 AM

Is this possible using casper encryption configurations or do I have to script it using fdesetup?

Cheers

Matt

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
rtrouton
Release Candidate Programs Tester

Posted on ‎08-15-2012 09:05 AM

You'll need to pick one option or the other and that will also be true when scripting with fdesetup. The "next user" option uses fdesetup enable -defer.

An important thing to know about the -defer option is that it enables one single user account at the time of turning on FileVault 2 encryption. The -defer option does not enable multiple user accounts and cannot be used to enable accounts once FileVault 2 encryption has been turned on.

View solution in original post

0 Kudos
5 REPLIES 5

Go to solution
rtrouton
Release Candidate Programs Tester

Posted on ‎08-15-2012 09:05 AM

You'll need to pick one option or the other and that will also be true when scripting with fdesetup. The "next user" option uses fdesetup enable -defer.

An important thing to know about the -defer option is that it enables one single user account at the time of turning on FileVault 2 encryption. The -defer option does not enable multiple user accounts and cannot be used to enable accounts once FileVault 2 encryption has been turned on.

0 Kudos

Go to solution
matthew-c
New Contributor III

Posted on ‎08-15-2012 10:20 AM

Ahh thanks Rich,

So i'd have to use the -defer flag or casper's next user configuration first and then wait until encryption is complete, then add the admin account?

sudo fdesetup add -inputplist < /path/to/filename.plist

Am I right in thinking that only the previously enabled user's password/recovery key will do for authorising the above command via the plist? Can an Institutional recovery key be used somehow?

Thanks

Matt

0 Kudos

Go to solution
rtrouton
Release Candidate Programs Tester

Posted on ‎08-15-2012 10:35 AM

Matt,

You're correct, you will need the previously enabled user's password.

If it's available as a recovery key option, you may also be able to use the alphanumeric recovery key in the plist as that's listed as an option in the fdesetup man page. However, I have not been able to get that to work in my own testing.

0 Kudos

Go to solution
matthew-c
New Contributor III

Posted on ‎08-15-2012 03:53 PM

Many thanks, I'll give it a go and submit a ticket to apple when it doesn't work.
Might look into prompting the user for their password, but that seems like it might be asking for trouble/confusion!

Cheers

Matt

0 Kudos

Go to solution
gachowski
Valued Contributor II

Posted on ‎08-15-2012 04:11 PM

I bet : )

That Jamf has asked for this already. I would ask you Jamf rep for the feature/bug ID number and then ask your Apple rep to push it..

0 Kudos