@justingrigg][/url][/url @jarednichols][/url][/url @gregneagle][/url][/url @golbiga][/url][/url

This works any way you setup FileVault. Institutional and/or Individual key.

Take the below code, put it into a plist file called com.apple.MCX.plist. Not sure if the file name really matters. I did exactly this and it's working like a champ for me. Not only does it grey out the turn off filevault button but it even stops them from running "fdesetup disable" from the terminal.

Open up or create a new Config Profile and go to Custom Settings. Name of the preference domain: "com.apple.MCX" without the quotes - DO NOT put .plist at the end.

Make sure after upload it says: "{dontAllowFDEDisable=true} "

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> <key>dontAllowFDEDisable</key> <true/>
</dict>
</plist>

oneloveamaru:

That's exactly the contents and function of the profile I posted over half a year ago in this thread:
https://github.com/gregneagle/profiles/blob/master/cant_disable_filevault.mobileconfig

If your process is what you have to do to get Casper to make an equivalent profile, then I'd be filing enhancement requests with JAMF. You should be able to import configuration profiles without all this drama.

@gregneagle You sent me that link originally but as I explained previously, the profile was being changed by JSS/Casper, which rendered it useless and it didn't grey out the disable filevault function. I opened a ticket and it is a bug in JSS/Casper which has been open for many many releases.

JSS/Casper actually has this functionality in their pre-compiled config profiles but again, bug in it which it not only greys out the disable filefault button but ALSO greys out the change password button, so users are unable to change their password. We use local users only, so this was a big bug for us. Again, opened defect with JAMF and still not fixed. I believe I opened sometime in the 9.3x release. Still not fixed in 9.6x release.

I can sign it and upload it so JSS/Casper can't change it but I didn't want to do it that way.

My way, I am able to throw it right into my FileVault key redirect config profile and works perfectly.

@oneloveamaru][/url for what it's worth I made a plist based on Greg's suggestions using com.apple.MCX and the key value of dontAllowFDEDisable=true and that seems to work and allow password changes.

The same works for me too : ) Can't remember if I made it from scratch( copied from Greg) or used "custom" in the JSS.
I do remember that it took a few tries to get it working : )

C

FWIW, Greg's profile also works for me. When I originally tried it, I also saw an odd inconsistency in how quickly it applied, but I then realized that it actually only takes affect once encryption completes, assuming you enable FV2 right away. I wish it worked more immediately, and I'm certain its an Apple thing and not anything to do with the Config profile, but if the Mac is in a conversion state, the button stays available. Only once its done encrypting or decrypting does it successfully apply and gray out the button. Bummer that it works that way, but it is what it is.