DEP and FileVault

ts85
New Contributor III

The issue I'm running into is as follows:
User gets new laptop, sets up their account.
After enrollment, the user is required to reboot as per the FileVault policy.
FileVault Policy kicks off at next login, prompts for password and does the final reboot to begin encryption.
User logs in, however during the DEP process when our local admin account is added, it does not get set for FileVault.

I've seen that you can push a plist to the machine to enable other users, however we do not know the user set password. The FileVault policy is set ONLY for individual keys.
Is the best option to manually set a password for the management account and then have a policy to enable it for FileVault to which we can then push the plist to enable the local admin?
Or is it possible to use an institutional AND private key to then be able to push the plist to enable the admin account?

3 REPLIES 3

justin_smith
New Contributor III

I would remove the management/local account from Filevault and redirect the individual recovery key to the JSS via configuration profile.

duffcalifornia
Contributor

Couldn't you just set your local admin account to be the same/have the same credentials as the management account, and then enable the payload that enables the management account to unlock the disk?

ts85
New Contributor III

@duffcalifornia The management accounts were made with randomly generated passwords, but I could initiate a reset and move forward that way. I also came across a fix in the Macadmins Slack for the already deployed Mac's I need to FileVault enable by re-adding the local account with FV enabled. It seems to still add as long as the recovery key is set and valid.