Posted on 02-24-2020 04:00 PM
Is there a way to allow removal of disk encryption on a particular computer aside from scoping to exclude that particular computer?
I have this one particular computer that had its data transferred via migration assistant. All policies and profile works great... except individual disk encryption 10.13. Both the computer and Jamf shows that disk encryption is enabled, but it's not showing the disk encryption key. I'm inclined to fix it by disabling and then re-enabling it.
Tried rebooting, recon, fdesetup changerecovery --personal, etc..
Posted on 02-24-2020 06:59 PM
Can't recall if it is still an issue or not but I do remember Mac's with the T2 security chip showing as "Encrypted", which is technically true, but it's not FileVault.
I would check in the System Prefs on the machine to see if it is actually encrypted.
I'd say the easiest way would be to exclude the individual computer from the scope of your FileVault policy and save it as "Distribute to newly assigned" and then re-add it and do the same again.
Alternatively, you could create a static group, "Remove FileVault Enforcement", and then scope the policy to exclude that particular group. Then I think all you need to do on the client machine is run jamf manage just to prompt the removal and re-installation of the Config Profile.
Posted on 02-25-2020 09:57 AM
Thanks Patrick. Will give it a try!
Posted on 02-26-2020 01:56 PM
It works! Thanks :)