Custom FileVault2 Config

mlitton
New Contributor II

Want to turn on FV2 with a configuration profile but not allow the end user to defer.

(IE .. select 'cancel' when the popup window appears at logout.)

I have tested, gotten help from Jamf, gotten help from MacAdmin, but I just cannot get it to work. I get 'user authentication errors' or a 'CPDomain Error 101'

My last attempt was:
download FV2 config from Jamf
un-sign the profile and convert to XML
add these two keys to com.apple.MCX.FileVault2
<key>DeferDontAskAtUserLogout</key> <true/>
<key>DeferForceAtUserLoginMaxBypassAttempts</key> <integer>-1</integer>
re-sign with Apple Dev certificate
re-upload to Jamf and push out
then nada ..

Can anyone share their experience on how I can make this happen?

We are using JPS 10.12 and pushing profile to a 10.14.4 device with the local user having a secure token.

4 REPLIES 4

gachowski
Valued Contributor II

Same boat...

So mrben said it worked in the past with older os...

https://www.jamf.com/jamf-nation/feature-requests/6338/support-the-deferforceatuserloginmaxbypassattempts-key-in-filevault-configuration-profiles

That said I have done the same thing as you and my profiles failed to load...I didn't see the error. I was only doing the enabling part in my profile, my next step is to try with full profile with the key escrow added.

I also tried with Profile Creator and was seeing the same profile not loading.

C

PS I also just sign my profiles with the machine cert that works in apple configurator.

gachowski
Valued Contributor II

Also,

I don't think any way will get rid of the cancel on log out button. I think DeferForceAtUserLoginMaxBypassAttempts is Apple English to get FV to enable to next log in. And even then the user can select cancel. However, when they do the machine reboots back to the log in screen and the get the FV enable pop up again over and over.

That is what we do now, with the jamf Policy, but I want to move to profile as I think we will be forced there in 10.16 or 10.17

C

mlitton
New Contributor II

Thanks. If I could just get DeferForceAtUserLoginMaxBypassAttempts to work for me in the config profile, that would be everything I need. Back to the drawing board :)

tsuet
New Contributor

Just hit the same error message, trying to enable FV2 at login "DeferDontAskAtUserLogout"
My attempts to use DeferDontAskAtUserLogout = True resulted in the profile failing to load (via JAMF, or directly opening it on a Mac)

Until I combined it with DeferForceAtUserLoginMaxBypassAttempts = 0
With this, I get a silent logout and a prompt to Enable at login... there's still a cancel button, but if the user hit cancel, it goes back to the login window.