Help

Best practice for filevault activation during prestage enrollment

Go to solution
glpi-ios
Contributor III

a week ago

Hello,
We would like to enable FileVault when preparing our Macs, during the enrollment prestage.

We would like to know the best way to do this knowing that:
- We have a support team that pre-configures the computers.
- During the enrollment of the computers, a management account is automatically created with a random password and a local administrator account.
- During enrollment, Jamf Connect is installed.
- Once the computer is enrolled, our support team logs in to the local admin account to install applications and do some different settings according to the targets.
- Once finished, the end user will come to pick up his computer or the computer will be sent to the user.

Today, we are beginning to deploy Filevault through a configuration profile with encryption at logout.

Thank you for your help.

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
AJPinto
Valued Contributor III

a week ago

The Apple preferred way use a configuration profile to enable FV and to defer FV enablement until after the assigned user logs in. After so many deferrals are up the user must enable FV. I find at log in better than at log out, at log out a user can hold the power button to get around enabling FV. At log in if they don't enable at login it wont let them log in.

 

The "correct" way to enable FV depends entirely on your organization. Our device deployment process is very similar to yours.

For us our JAMF instance is not open Internet (I am working on that), and 95% of our users are remote.  FileVault cannot enable if the Mac cannot talk to the MDM, and since this requires a VPN client for us we cannot have log in or log out FV enablement. So, we enable FV with a configuration profile before the user gets the device and then use a script to give the user a FV token. To be honest, this is a very wrong way to do it but what is correct depends on your org. I am working on getting us to Cloud, and then plan to work on 0-touch deployment and move FV enablement to at login with 3 deferrals. 

View solution in original post

2 REPLIES 2

Go to solution
AJPinto
Valued Contributor III

a week ago

The Apple preferred way use a configuration profile to enable FV and to defer FV enablement until after the assigned user logs in. After so many deferrals are up the user must enable FV. I find at log in better than at log out, at log out a user can hold the power button to get around enabling FV. At log in if they don't enable at login it wont let them log in.

 

The "correct" way to enable FV depends entirely on your organization. Our device deployment process is very similar to yours.

For us our JAMF instance is not open Internet (I am working on that), and 95% of our users are remote.  FileVault cannot enable if the Mac cannot talk to the MDM, and since this requires a VPN client for us we cannot have log in or log out FV enablement. So, we enable FV with a configuration profile before the user gets the device and then use a script to give the user a FV token. To be honest, this is a very wrong way to do it but what is correct depends on your org. I am working on getting us to Cloud, and then plan to work on 0-touch deployment and move FV enablement to at login with 3 deferrals. 

Go to solution
glpi-ios
Contributor III

a week ago

Hello @AJPinto ,
Thank you for your help.
I forgot to mention that we are using Jamf Cloud.

Your process of x deferrals before activation at login seems quite good.

Thank you again for answering me.

0 Kudos