Encryption - best practice

New Contributor


We are trying to enable encryption on Macs with Casper and found two ways of doing it.

It looks like it can be done either via configuration profile or via a policy. I’ve played with both and it seems that a configuration profile works more consistently. However, if we select the individual key option, which is what we want since we want to manage keys for users, during the encryption process a user is shown their encryption key. If we use a policy instead, the encryption key is not shown (which is what we want). We would use a policy based approach but it seems inconsistent.

What is the best practice in order to enable encryption with an individual recovery key (forwarded to JSS for us to manage)? Is there a way to not show the key to end-users right before the encryption happens? How does everyone have theirs setup?


Valued Contributor II

So I think if you are trying to zero touch, then you have to go with the policy on next log in.. if the user doesn't enable FileVault on the log in then the machine will reboot back to the log in screen and there is no easy way to bypass the encryption...

I don't think the configuration profile has the options to do next log in, if I remember correctly it's next log out and then the user can just keep bypassing it over and over ... That said I haven't tried a custom profile set to next log in, but I would hesitant to build a process on something that isn't supported by Apple or Jamf : )


New Contributor

Not really a zero touch but no key shown to end-users.

I got clarification from JAMF on this.

The reason that we see the key with the Configuration Profile is because the profile is essentially just going into System Preferences and checking the box to enable FileVault, which when this is done by the end user will show us the encryption key. Now with a policy, we are calling the fdesetup command and passing in parameters to encrypt the machine and send the key to the JSS. Because of the difference in how the policy calls FileVault versus how the Configuration Profile calls FileVault, this is why we see the key with the Configuration Profile and not with the policy.

Basically if we want users not to be able to see a recovery key, we have to use a policy based approach. However this brings another issue.

Because FV2 cannot encrypt a network user, we have to convert them to mobile user using configuration profile. During enrollment, both - the mobile user configuration and the encryption policy are being applied. Because a mobile conversion requires a restart before being applied, the encryption policy fails (user is still under Network at this time). Unless I set the encryption policy to be ongoing and not once per user per computer, I would have to flush logs in order to reapply.

Is there an approach that can apply policies only after certain parameters are met? e.g. only apply this policy once a managed configuration X has been successfully applied.

This can probably be scripted but I wanted to see if this function is already baked into JSS.

Honored Contributor III
Honored Contributor III

@Vitamin-Z hmm. I wonder if your AD bound & if so could have a different set of bind settings for these to be encrypted Macs..

These settings would create a mobile account @ login & therefore streamline the process some.

Contributor III