disk encryption Yosemite FV2 for all users

tcandela
Valued Contributor II
  1. I created a basic disk encryption configuration.

-- key = individual
-- enable = mgmt account

  1. I created a Policy to use this configuration

-- trigger = recurring checkin
-- management account = enabled user

Is there a way to get all the current users enabled automatically ?

where do i see the recovery key in JSS ?

1 REPLY 1

mm2270
Legendary Contributor III

This kind of question comes up here often. Unfortunately, although fdesetup has multiple ways of users being added into FileVault, either at the time FV2 is enabled, or after the fact, every one of them involves either knowing the account(s) passwords being added, or asking the user to enter their password so it can be passed to fdesetup.
The reason behind this is simple. Since FileVault stores the enabled user info and passwords in the EFI layer, its got to know what the account password is or else the user would not be able to unlock the Mac at boot time. When a Mac boots into the FV2 login screen, its not even booting off the OS, since the drive is still locked at that stage, so it can't read the user's account from the filesystem.

I suggest perusing Rich's blog on all his FileVault blog entries and seeing what method may work for your environment. There are also several threads here on JAMFNation that may help as well.
https://derflounder.wordpress.com/category/filevault-2/

As for where to find the Recovery key, it first needs to be picked up into the JSS' computer record, so make sure a recon is being run on the Mac's after FileVault is enabled. Then the key should show up in the Mac's record under the "Management" tab, and then under the FileVault 2 section. But it requires the authority in your JSS account to see the Recovery key.

Edit: added link to derflounder