Help

Auto-enable/Force Filevault with 0 touch/interaction

Go to solution
Nate1
New Contributor III

Posted on ‎12-13-2023 02:25 PM

FYI: This is for newly imaged/enrolled machines only. I'm not attempting this with machines currently deployed.

 

 

Is it possible to force Filevault to enable with 0 interaction from the end-user? Currently we have it auto-enable during enrollment but there is a small window that pops up that says "Turn on" or "Cancel" and they are unable to login for the first time without selecting "Turn on", but I'm hoping to skip that altogether. Since they have no option to move forward without enabling it, ideally we can force it in the background.

 

We have: Jamf Pro, Jamf Connect, "Automatically install PPPC" with Jamf management framework and Jamf Connect.

 

We currently have 2 Config Profiles that enable FV (though I'm honestly not sure which does what or if they're redundant):

Application and Custom Settings > Jamf Applications > com.jamf.connect.login > Enable Filevault: True

Security & Privacy > Filevault > Enabled Filevault > Enabled (At Login)

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
sdagley
Esteemed Contributor II

Posted on ‎12-13-2023 08:22 PM

@Nate1 As things stand currently there will always be user notification of FileVault being enabled. macOS Sonoma adds the capability of enabling FileVault during Setup Assistant if you set the "Force Enable In Setup Assistant" option in your Configuration Profile with a Security and Privacy->FileVault payload. If you also suppress the Setup Assistant FileVault screen in your PreStage Enrollment settings the user will see a screen that says FileVault is being enabled but won't have an option to disable it. 

View solution in original post

Reply
4 REPLIES 4

Go to solution
sdagley
Esteemed Contributor II

Posted on ‎12-13-2023 08:22 PM

@Nate1 As things stand currently there will always be user notification of FileVault being enabled. macOS Sonoma adds the capability of enabling FileVault during Setup Assistant if you set the "Force Enable In Setup Assistant" option in your Configuration Profile with a Security and Privacy->FileVault payload. If you also suppress the Setup Assistant FileVault screen in your PreStage Enrollment settings the user will see a screen that says FileVault is being enabled but won't have an option to disable it. 

Reply

Go to solution
roiegat
Contributor III
In response to sdagley

‎01-03-2024 09:03 AM - edited ‎01-03-2024 09:04 AM

I haven't seen this work in practice yet with the user enrollment method.  In our main deployment method a tech logs in first and inputs some info and builds the machine.  They log in with the account created in the prestage enrollment.  In this scenario when the tech logs in with account Jamf created, it does show the FileVault window and turns it on.

But in test user enrollment, when the user logs in after authentication, the FileVault screen doesn't turn on and FileVault shows as off.  Still looking into this issue to try to figure out why.

0 Kudos
Reply

Go to solution
AJPinto
Esteemed Contributor

Posted on ‎12-14-2023 06:05 AM

Unfortunately this is not possible. How Apple handles filevault, there will always be user touch. The user must enter their keychain password to enable FileVault and in turn get a FileVault token. This is a popup after they log in or as they log out once you have the configuration profile deployed, and cannot be suppressed. 

Reply

Go to solution
Nate1
New Contributor III

Posted on ‎12-14-2023 08:09 AM

Thanks all!

I thought it was mentioned back in my Jamf 200 class a while ago that it was possible, but I guess I misheard.

 

0 Kudos
Reply