Best practice for filevault activation during prestage enrollment

glpi-ios
Contributor III

Hello,
We would like to enable FileVault when preparing our Macs, during the enrollment prestage.

We
would like to know the best way to do this knowing that:
- We have a support team that pre-configures the computers.
- During the enrollment of the computers, a management account is automatically created with a random password and a local administrator account.
- During enrollment, Jamf Connect is installed.
- Once the computer is enrolled, our support team logs in to the local admin account to install applications and do some different settings according to the targets.
- Once finished, the end user will come to pick up his computer or the computer will be sent to the user.

Today, we are beginning to deploy Filevault through a configuration profile with encryption at logout.

Thank you for your help.

1 ACCEPTED SOLUTION

AJPinto
Honored Contributor II

The Apple preferred way use a configuration profile to enable FV and to defer FV enablement until after the assigned user logs in. After so many deferrals are up the user must enable FV. I find at log in better than at log out, at log out a user can hold the power button to get around enabling FV. At log in if they don't enable at login it wont let them log in.

 

The "correct" way to enable FV depends entirely on your organization. Our device deployment process is very similar to yours.

For us our JAMF instance is not open Internet (I am working on that), and 95% of our users are remote.  FileVault cannot enable if the Mac cannot talk to the MDM, and since this requires a VPN client for us we cannot have log in or log out FV enablement. So, we enable FV with a configuration profile before the user gets the device and then use a script to give the user a FV token. To be honest, this is a very wrong way to do it but what is correct depends on your org. I am working on getting us to Cloud, and then plan to work on 0-touch deployment and move FV enablement to at login with 3 deferrals. 

View solution in original post

3 REPLIES 3

AJPinto
Honored Contributor II

The Apple preferred way use a configuration profile to enable FV and to defer FV enablement until after the assigned user logs in. After so many deferrals are up the user must enable FV. I find at log in better than at log out, at log out a user can hold the power button to get around enabling FV. At log in if they don't enable at login it wont let them log in.

 

The "correct" way to enable FV depends entirely on your organization. Our device deployment process is very similar to yours.

For us our JAMF instance is not open Internet (I am working on that), and 95% of our users are remote.  FileVault cannot enable if the Mac cannot talk to the MDM, and since this requires a VPN client for us we cannot have log in or log out FV enablement. So, we enable FV with a configuration profile before the user gets the device and then use a script to give the user a FV token. To be honest, this is a very wrong way to do it but what is correct depends on your org. I am working on getting us to Cloud, and then plan to work on 0-touch deployment and move FV enablement to at login with 3 deferrals. 

glpi-ios
Contributor III

Hello @AJPinto ,
Thank you for your help.
I forgot to mention that we are using Jamf Cloud.

Your process of x deferrals before activation at login seems quite good.

Thank you again for answering me.

glpi-ios
Contributor III

Hi,

On the other hand, I had another question.

If I activate the 'Allow users to bypass FileVault prompts at login' box with x attempts, the problem is that our technicians, when they open the session allowing them to prepare the computer, they have the window offering to activate or not Filevault with the countdown, so they do not activate Filevault at this level.

But when the final user opens his session, the window does not appear and does not offer the possibility to activate Filevault.

In fact, here is how we work:
A MacOS computer is prepared by a technician.
A local admin account 'admin' is created during the prestage (other than the Jamf management account).
The technician will perform several settings and installations using this 'admin' profile.
Once finished, the computer is provided to another team in charge of giving the device to the final user and accompanying him to his first session opening (with Jamf Connect).
This team does not know the password of the 'admin' account.

We are trying to find the best method to activate FileVault.

Thank you for your help.