Enabling FileVault on High Sierra



My team is currently contemplating upgrading our fleet to High Sierra. So far, we seem to be having the most problems with newly imaged machines. Once High Sierra is on the new machine, we are unable to properly encrypt it. We don't receive prompts to store the key on the JSS but iCloud for some reason. Has anyone else run into this? Any insight would be great. Thanks.



you may run into one or more of these issues:
1- 10.13 requires filevault key escrow (is in recent versions of JSS in the filevault setting) and does NOT need the FileVault redirection profile to store the recovery key in the JSS
2- imaging is not really supported by Apple with 10.13. It is (a bit) working if you deploy the same version that was previously installed. (several reasons, but the Firmware updates that are part of 10.13.x are required)
3-FileVault can in 10.13 only be enabled by users that are created by setup assistant (GUI), not with users created by scripts ! (tip: SecureToken)
4-Images captured from 'Master Mac' with tools like Imaging and Deploystudio are usually not working for apfs volumes, images created with tools like AutoDMG work better.
5-when you restore, you have make sure to use the correct format: HFS for HD's/Fusion, APFS for SSD's.

I have successfully deployed 10.13.3 images (APFS format) created with AutoDMG to Mac's that were running 10.13 (so have correct firmware), deployed using DeployStudio, but ymmv.

Search around on this forum, read derflounder blogs, using the keypoints above

New Contributor III

@maurits - If I were to push out a config profile for this to a machine that has already been encrypted, will the profile want to encrypt the machine again, or just send the key to escrow?