Jamf Nation Community

Hi,

All things FileVault see rtrouton and gregneagle

https://github.com/gregneagle/profiles/blob/master/cant_disable_filevault.mobileconfig

https://derflounder.wordpress.com

https://jamfnation.jamfsoftware.com/discussion.html?id=4567

C

Sorry I didn't read your question... I agree with Mike, if you can just use a config profile to block the Security & Privacy Preference Pane.

That said it might not be that easy as, I had an issue blocking the profiles Preference Pane and had to do a little extra work to just block that one Preference Pane.

You have to test if you can install other Preference Panes, like Java... once you get your Preference Pane block.

C

@gachowski In one of the recent updates (I forget which) JAMF added a button so you can select which pref. panes to disable, as opposed to previously it was you select which you want to enable, which is where issues with third party pref. panes came in. I'm fairly sure it shouldn't be an issue any more.

Yep,

Its a new X.10 option, but it didn't work 100% in the X.10.1 : ) I think the part that made it difficult for me is that I didn't want to manage any of the other setting in the restrictions like sharing service so I had to make a custom profile that my Casper server didn't like : )

Apple need to remove all the sub menus in configuration profiles, and make all the profiles single settings. Yes that would not look pretty in Mac OS X server and would be a pain to read. But with configuration profiles it should be one setting per profile. At least on Mac OS X, easier to control, easier to change and easier to trouble shoot.

C

The blacklist capability for Preference Panes came about with Mavericks, but I think it took JAMF a little while to include it in the JSS.

If you haven't seen it, you may want to read though this older article by Sam Keeley that details the new function, plus a security issue around all this that has been in existence in OS X for a number of years, even when using MCX, and I think still exists in Yosemite.
https://www.afp548.com/2013/12/16/system-preferences-profiles-in-mavericks-plus-a-security-hole/

Only option I'd really like to restrict is the FileVault in the Security & Privacy pane. We'll have to discuss inhouse the pros and cons of blocking the whole Security & Privacy pane. This conversation was prompted by a large number of student laptops sudden;y populating a FileVault Smart Group I have after we lifted the app restriction on Yosemite. Not sure that I remember seeing any prompts during the Yosemite install process for enabling FileVault?

@TomDay, we allowed some users to upgrade their 10.9.5 systems to 10.10.3 and we had a few people enable FileVault 2. If they signed into an AppleID when the setup assistant ran after the upgrade it would then ask them if they wanted to enable FileVault 2. Since I don't normally sign into an AppleID when I setup computers I didn't note this in my instructions to our test group which is how some people got it enabled.

Worth mentioning you could also turn on FileVault 2 key redirection. Once enabled, FileVault 2 keys will redirect and be stored on the JSS when FileVault 2 is enabled by a user.

@adamcodega Wow interesting! I'll dig on Jamfnation archives for some info on redirection.

Hey, @TomDay, I don't know if you solved this, but maybe check something like this out - I used this to prevent customers from turning FileVault OFF

https://www.jamf.com/jamf-nation/discussions/4567/disable-turn-off-filevault-button#responseChild75302