Catalina - FileVault Enablement

mnickels
New Contributor III

I'm currently testing out Catalina on a VM. I have the Security & Privacy MDM profile deployed to it with the setting enabled to require FileVault.

When I reboot the VM, I am prompted for my password. It says that it will enable FileVault, but it never does - the Mac just reboots and then I go through the same process all over again.

If I enable FileVault through the local Mac settings it works fine.

Is anyone else having this issue? Any idea why the MDM setting is not enabling FileVault?

70 REPLIES 70

jeremyb
New Contributor II

Yes, same result with a real computer (Mid-2014 Retina). It keeps asking for the password (at logout) after each reboot and Filevault is never enabled. It's working fine if enabled manually through the Security pane.

mnickels
New Contributor III

I do see that 10.15+ requires user approved MDM for FileVault according to https://developer.apple.com/documentation/devicemanagement/fdefilevault

My VM does have user approved MDM. I have also tried removing/re-applying the configuration profile after this was approved, but I have the same result.

jordy_witteman
New Contributor III

Same here, also a policy to enable at logout doesn't seem to work. I changed the policy to enable at login which fixed the issue.
I did some further testing today using (custom) configuration profiles to enforce at login/logout because Jamf does not have support for all MDM keys/values for FileVault:
- Force at logout: FileVault not enabled
- Force at logon: FileVault enabled!

Filed a bugreport with Apple for this.

For those interested I was able to enforce with the following payload content in the mobileconfig:

<key>Defer</key>
<true/>
<key>DeferDontAskAtUserLogout</key>
<true/>
<key>DeferForceAtUserLoginMaxBypassAttempts</key>
<integer>0</integer>
<key>Enable</key>
<string>On</string>
<key>PayloadDisplayName</key>
<string>FileVault 2</string>
<key>PayloadIdentifier</key>
<string>com.apple.MCX.FileVault2.84537EBB-ED32-4231-8776-F3EB98C72F96</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.MCX.FileVault2</string>
<key>PayloadUUID</key>
<string>84537EBB-ED32-4231-8776-F3EB98C72F96</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>ShowRecoveryKey</key>
<true/>
<key>UseRecoveryKey</key>
<true/>

glopez1
New Contributor II

We also are having this issue - its a huge bummer. Waiting until login to enable really breaks our automated enrollment flow. What's the bug report ID with apple?

jordy_witteman
New Contributor III

@gtucker: that is FB7361976

glopez1
New Contributor II

@jordy.witteman thanks!

hansjoerg_watzl
Contributor

We had this behaviour also with non Catalina Macs from time to time in the past and never found a solution. Did not try to change it to logon instead of logoff (which we used).

sslavieroGSMA
New Contributor III

@jordy.witteman is enabling FileVault via a Config Profile considered "Best Practice" now rather than using the Disk Encryption Configuration deployed via a Policy??

jordy_witteman
New Contributor III

@sslavieroGSMA Normally I'd prefer a config profile over a policy. But given the fact that Jamf has currently no support for DeferDontAskAtUserLogout and DeferForceAtUserLoginMaxBypassAttempts in the Security & Privacy configuration profile UI, the easiest for now seems to use a policy with 'At next login' selected.

sslavieroGSMA
New Contributor III

OK - So if I use ProfileCreator to create a Config Profile of your settings you mention above > upload that into Jamf as a Config Profile (or should I export as a Plist file and upload into a CP?).

And still have:
Config Profile --> Security & Privacy: Require FileVault 2 + Escrow Recovery Key
Policy with Disk Encryption: At Next Login

So kinda a 3 part process??

jordy_witteman
New Contributor III

@sslavieroGSMA No I mean the setup below was sufficient in my testing:
- Config profile: require FV2 + escrow
- Policy with Disk Encryption: At next login

If you’d want to use config profile without the policy, then the custom settings are needed. I also used ProfileCreator to do this. Sorry if this wasn’t clear before 🙂

bradtchapman
Valued Contributor

Our Jamf support rep sent me this thread. Has anyone seen Macs that fail to recognize any passwords or PRKs midway through the upgrade to Catalina?

brunerd
Contributor

I've seen this behavior of FileVault not enabling despite seeing the screen and all when the user is not SecureToken enabled.

sysadminctl -secureTokenStatus "$(whoami)"

The difference with enabling via the System Prefs GUI is that it'll prompt for credentials and grant you a SecureToken (this is only possible if there is no other SecureToken user on the system) perhaps however the VM was set up it didn't grant it to your user?

If no other user is SecureToken enabled then you can grant it to yourself (there's a way to use stdin but I am too lazy to figure out the tortured syntax Apple makes you use):

sysadminctl -secureTokenOn "${username}" -password "${password}" -adminUser "${username}" -adminPassword "${password}"

SfarraCap
New Contributor

This seems to have started working again after the Catalina Supplemental update... curious if others can verify this.

Cayde-6
Valued Contributor

Hmmm how can I test on a fresh laptop....... does an internet recovery download the supplemental update too?

jordy_witteman
New Contributor III

Unfortunately I am still seeing the same behaviour and FV not being enabled on a fresh install of 10.15 with the supplemental update (19A602). It is definitely no issue with SecureToken as this was enabled for the user I was testing with.

@SfarraCap What was your config when you had FV enabled with the supplemental update?

@Cayde-6 I guess it would, in my case I used the following to download a fresh installer that included the update for my VM

softwareupdate --fetch-full-installer --full-installer-version 10.15

JarvisUno
Contributor II

@Cayde-6 I actually tested it on a fresh install (With Supplemental Update Installed) as well and still nada!

glopez1
New Contributor II

Yeah, can confirm the supplemental catalina update (10.15.0 19A602) did not resolve this issue yet.

neil_martin83
Contributor II

Same here with a fresh Catalina 10.15.1 VM enrolled via DEP (so UAMDM is all good) - SecureToken is there for the user account as well, but no FileVault enablement (although it tries to do it on each logout)...

JarvisUno
Contributor II

In my scenario, I was able to resolve it by changing the trigger to "Login" instead of "Logout" and noticed that it was giving me a message about talking Volumes:

Enabling FileVault on your Machine

The initial set-up may take a few minutes. The FileVault recovery key will be displayed when FileVault is ready. This may show up after this user logs out.

Its then followed by:

There was a problem enabling FileVault on your computer.
You should use System Preferences Security & Privacy to view or change FileVault.

On this machine in particular once glanced at Disk Utility I quickly noticed that there was a separate volume listed. Since this was a TESTER any way I booted into recovery mode deleted that volume as well as the main Macintosh_HD volume and started from scratch.

Once it was enrolled, the user was promoted at login and the machine encrypted as intended, and much cleaner I might add as the the recovery key now is never shown to the user.

neil_martin83
Contributor II

Looks like this is broken for enabling FV on logout. I ran a policy to enable at login and that worked.

Cayde-6
Valued Contributor

Problem is that a configuration profile only has the logout option for deferred.

Policy isn’t an issue by the sounds of it

gachowski
Valued Contributor II

@Cayde-6 see jordy.witteman post in the beginning of this thread. You can created a profile that forces on login with deferred.

C

DSI
New Contributor II

Hi @jordy.witteman , how am I doing to see the progress of the problem ID FB7361976 at Apple? Do you have a link? Thank you.

MatG
Contributor III

We see similar issues, reported to Apple Enterprise Support who are aware of the problem

Cayde-6
Valued Contributor

Upvote if you want those extra keys to be added into Jamf Pro

https://www.jamf.com/jamf-nation/feature-requests/9074/add-extra-filevault-2-keys-to-jamf-pro

Cayde-6
Valued Contributor

So I get an error when the profile attempts to install on a computer

The ‘FileVault Settings’ payload could not be installed. User authentication failed.

jordy_witteman
New Contributor III

@DSI It's been very quiet in FB7361976 so far 😞 I just posted it here: https://openradar.appspot.com/radar?id=4980838227771392

@Cayde-6 Voted for the feature request, thanks!

DSI
New Contributor II

Thank you @jordy.witteman

Garci4
New Contributor III

@jordy.witteman Question, are you doing "Config profile: require FV2 escrow
Policy with Disk Encryption: At next login" for all devices? Jamf support suggested just scoping this to 10.15+ and leaving the rest to just use the config profile....

Kinda sucks that jamf is just leaving admins to figure it out... still seeing new posts about this (https://www.jamf.com/jamf-nation/discussions/34159/filevault-deployment-broken-in-catalina) - since enabling & enforcing FV2 is a requirement for some of us, an acknowledgment of the issue ahead of time would have been nice along with a detailed workaround. Instead of leaving it up to the admins to be proactively involved in forums or the macadmin slack channel to know about this and not just find out about it through end user reports or testing.

For the policy general settings, does the trigger have to be at login as well? I currently have it set to Enrollment complete.

dsardaczuk
New Contributor III

Even after the newest release of MacOS 10.15.2 and JamfPro with and JamfConnectVerify-1.2.1.pkg & JamfConnectLogin-1.7.1.pkg, it is still not possible to enable FileVault by reboot 😞
Help!!!

Cayde-6
Valued Contributor

@dsardaczuk You need to pester Apple, only they can fix the FV2 deferred at logout issue

beeboo
Contributor

settings:

Filevault payload: individual and current or next user at next login

fresh wipe and install of 10.15.2
boot to local admin, not the first account made but an account made in JSS as part of workflow
asks to enable FV > do so
sys pref > FV off
log out and log in, asks to enable now again
terminal > sudo fdesetup status shows that FV is OFF and the deffered enablement appears active for (the user ive been logging into)
run the self service policy (does the same thing)
logs out user, logs back in without reboot, asks for Enable Now
i can enable manually and it shows the Jamf repo locations and lets me store it to JAMF, but i was hoping the process would be easier/more streamlined.

EDIT:
theres a config policy tied to it
Require Fv2 is not on
but enable escrow key is to the named location (company JAMF)
auto encrypt and decrypt recovery key

EDIT 2:

a few reboots later and the key is now stored in escrow in JSS and it tells me that the machine is encrypted....

this is confusing as heck

dsardaczuk
New Contributor III

Happy new one...
is there still no fix, only workarounds?
In Mojave all works fine, only Catalina makes this problem.

beeboo
Contributor

depends what you mean by fix.

in our case, changing the workflow a little allowed us to get what we wanted, so we consider that an implemented change vs workaround.

so it really depends on how you define workaround/fix and what your process is like.

mnickels
New Contributor III

FYI, the build-in Jamf field to enable FileVault on logoff still does not work with Catalina 10.15.3. At this point, I think I'm going to give up on the configuration profile and use a policy to apply FileVault at login (which seems to work fine).

srobert
New Contributor II

There is a bug utilizing a config profile to enable FileVault for Catalina on jamfpro 10.15.1. you will need to enable via policy. I would also push the config profile, but utilize to escrow keys for devices that needs a recovery key regenerated. Not sure if the bug resolved in recent releases of Jamf Pro, but we're about to upgrade to 10.18 so.. will let you know.

Cayde-6
Valued Contributor

@srobert I don’t believe this is a jamf but, other MDMs have the same issue.

Apple are treating it as a bug with Catalina

MatG
Contributor III

AD bound Mac's, Mobile Accounts, FV and Keychain on 10.15.3 continues to be a utter mess.
Its kind of strange as Apple are continuing to support Mobile accounts with introducing bootstrap tokens but then break stuff that worked in 10.15.0.